Open Radar

 
Area:
Something not on this list

Summary:
Attempting to use the above dylib as a PKCS11 provider stopped working as of 10.12.4. 

You used to be able to perform the following operations:
1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib
2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 
3.$ ssh -I /usr/lib/ssh-keychain.dylib $host

In the case of 1 this works.  You can read the public key and it will be displayed.

In the case of 2 you can add the public key as an identity to the ssh-agent.  However, when you attempt to use this it fails at: 

debug2: input_userauth_pk_ok: fp SHA256:[REDACTED]
debug3: sign_and_send_pubkey: RSA SHA256:[REDACTED]
debug3: send packet: type 50
Authentication failed.

And the action for the third scenario just fails outright.

I've attempted this using a Yubikey Neo, Yubikey Nano and Nitrokey HSM.  All appear to fail similarly.

Steps to Reproduce:
You used to be able to perform the following operations:
1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib
2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 
3.$ ssh -I /usr/lib/ssh-keychain.dylib $host

Expected Results:
1. should return the keys that are accessible through the pkcs11 provider
2. should add the public key to as an identity to the ssh-agent
3. should use the pkcs11 (shared object) provider directly to query identity.

Observed Results:
1. Succeeds.
2. Succeeds, but subsequent attempts to SSH (which uses the ssh-agent to pull the identity) fail at the signing operation.
3. Fails outright.

Version:
10.12.5 (16F73)

Notes:
Would love to speak to someone regarding plans re: pkcs11 and piv on MacOS.  

Configuration:
So far reproducible on all hardware specs tested.