macOS 11 Big Sur breaks ssh-add -s /usr/lib/ssh-keychain.dylib

I am trying to add my smart card PIV cert to ssh-agent.

In macOS 10.15 Catalina, it was as simple as:

Code Block 
ssh-add -s /usr/lib/ssh-keychain.dylib

But in macOS 11.1 Big Sur, the ssh-agent debug output says:

Code Block 
failed PKCS#11 add of "/usr/lib/ssh-keychain.dylib": realpath: No such file or directory


I am aware that macOS 11 caches system libraries ... but I believe that /usr/lib/ssh-keychain.dylib is in the cache.

Any help would be greatly appreciated!
Up vote post of jrnphd Down vote post of jrnphd
8.5k views
Posted by
jrnphd
Reply
Add a Comment

Replies

I'm too experiencing keychain breakage since I've just upgraded my Mac from Mojave to BigSur. When I attempt to execute the same simple command 
Code Block 
ssh-add -s /usr/lib/ssh-keychain.dylib


I get the following error after inputting my PIN: 
Code Block 
Could not add card "/usr/lib/ssh-keychain.dylib": agent refused operation


After doing some digging, I noticed that the ssh-keychain.dylib file is no longer within the /usr/lib path. Is this to be expected via BigSur?

Any and all assistance would be greatly appreciated.


Posted by
Dee_M
Post not yet marked as solved Up vote reply of Dee_M Down vote reply of Dee_M
Add a Comment
The new path may be: /usr/local/lib/pkcs11/cackey.dylib

Note: While the above allowed me to add the card with my PIN, it added 41 identities, so no matter what I tried to SSH to, it failed too many times. So maybe that is not the correct new path.

I ended up going here: https://github.com/kenh/keychain-pkcs11/releases

Downloading the old keychain and using that and it worked great.

Posted by
nikatsu
Post not yet marked as solved Up vote reply of nikatsu Down vote reply of nikatsu
Add a Comment
Still broken in 11.2.1 ... :(
Posted by
jrnphd
Up vote reply of jrnphd Down vote reply of jrnphd
Add a Comment
Apple, can you answer this question as we need this functionality at the command prompt level in our federal government for some system integrations and testing. Thanks.
Posted by
AppleStock
Up vote reply of AppleStock Down vote reply of AppleStock
Add a Comment

Apple, can you answer this question

DevForums is not an official Apple support channel. Moreover, its focus is on code-level questions, and there’s no third-party code involved here. My advice:

  • Regardless of what else you do, file a bug report about this. Please post your bug number, just for the record.

  • If want to discuss this with your peers, bounce on over to Apple Support Communities.

  • If you want formal support from Apple, talk to Apple Support. While I’m not familiar with all of their programmes and policies, my understanding is that they do have paid-for support options that cover this sort of thing.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
I filed FB8965034 for this on Jan 8th.
Posted by
jrnphd
Post not yet marked as solved Up vote reply of jrnphd Down vote reply of jrnphd
Add a Comment
Still broken in 11.2.3 ...

However, Apple tells me that the bug has been identified and corrected .. .and will be fixed within the next OS update or two ...
Posted by
jrnphd
Post not yet marked as solved Up vote reply of jrnphd Down vote reply of jrnphd
Add a Comment
Thanks for the update @jrnphd. Like everyone, I was sure hoping that this issue would be addressed via 11.2.3. Extremely disappointing that it didn't.
Posted by
Dee_M
Up vote reply of Dee_M Down vote reply of Dee_M
Add a Comment
Fixed in 11.4
Posted by
jrnphd
Post not yet marked as solved Up vote reply of jrnphd Down vote reply of jrnphd
Add a Comment

Hello, I updated to MacOS Big Sur 11.4 and I can't access with my ssh publickey anything anymore.

Instead I get back:

Permission denied (publickey).

This happened to me today.

Anything about that?

Posted by
DYW972
Up vote reply of DYW972 Down vote reply of DYW972
Add a Comment

Use Apple's macOS default ssh-add command. ssh-add installed by macports, homebrew, etc. do not work.

% which ssh-add
/usr/local/bin/ssh-add

% ssh-add -K ~/.ssh/id_*******
Enter PIN for authenticator:
Provider "internal" returned failure -1
Unable to load resident keys: invalid format

% where ssh-add
/usr/local/bin/ssh-add
/usr/bin/ssh-add

% /usr/bin/ssh-add -K ~/.ssh/id_*******
Enter passphrase for /Users/*******/.ssh/id_*******:
Identity added: /Users/*******/.ssh/id_******* (user@email.com)
Posted by
ssent1
Post not yet marked as solved Up vote reply of ssent1 Down vote reply of ssent1
Add a Comment

It appears that /usr/lib/ssh-keychain.dylib is now present and working in 11.6.

Posted by
opoplawski
Up vote reply of opoplawski Down vote reply of opoplawski

  • Now with Monterey 12.2.1 I'm getting:

    $ ssh-add -s /usr/lib/ssh-keychain.dylib Enter passphrase for PKCS#11: Could not add card "/usr/lib/ssh-keychain.dylib": agent refused operation $ ls -l /usr/lib/ssh-keychain.dylib -rwxr-xr-x 1 root wheel 284784 Feb 6 14:22 /usr/lib/ssh-keychain.dylib
    opoplawski

  • Nevermind - operator error.

    opoplawski
Add a Comment