Am Montag 21 Juni 2010, um 08:47:07 schrieb Jean-Michel Pouré - GOOZE: > On Sat, 2010-06-19 at 19:06 +0200, Andreas Jellinghaus wrote: > > google "pkcs11-spy" and the first hit is: > > http://www.opensc-project.org/opensc/wiki/UsingOpensc > > Thanks I updated the doc with examples. > Now, I try to reproduce with ssh-add: > > PKCS11SPY=/usr/lib/pkcs11/opensc-pkcs11.so \ > PKCS11SPY_OUTPUT=/tmp/pkcs-spy.log \ > ssh-add -s /usr/lib/pkcs11-spy.so > > Enter passphrase for PKCS#11: > SSH_AGENT_FAILURE > Could not add card: /usr/lib/pkcs11-spy.so > > There is no log in /tmp/pkcs-spy.log
ssh is complex, so this won't work. try that instead: PKCS11SPY=/usr/lib/pkcs11/opensc-pkcs11.so \ PKCS11SPY_OUTPUT=/tmp/pkcs-spy.log \ ssh-agent bash and inside that bash ssh-add -s /usr/lib/pkcs11-spy.so because I guess, that ssh-add tells ssh-agent "hey, the user requested you open pkcs#11 module with path ... and use it", but the ssh-agent does the actual loading of the module and using it. if you try ssh directly without agent, of course this should work: PKCS11SPY=/usr/lib/pkcs11/opensc-pkcs11.so \ PKCS11SPY_OUTPUT=/tmp/pkcs-spy.log \ ssh u...@machine -o smartcard=/usr/lib/pkcs11-spy.so note: I don't know what the real option you need to give to ssh is. but you get the idea. and always remember: if you start setuid or setgid applications, the kernel (or ld.so?) will remove some environment variables. also some applications clean the environment variables when they are started too, so you can't use malicious environment variables with them. typical example: you can't run PKCS11SPY=/usr/lib/pkcs11/opensc-pkcs11.so \ PKCS11SPY_OUTPUT=/tmp/pkcs-spy.log \ login with pkcs11-spy.so configured as pam module, that won't work. well, it might work if you are root, maybe also login needs not have setuid/setgid. but you get the idea - important apps like su, login, sudo and friends cleanup the environment before they start (or the kernel or ld does that for them). I hope this helps? Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
