macOS - libykpiv.2.dylib failing to load after upgrade to Ventura 13.1 (22C65)

Question

macOS - libykpiv.2.dylib failing to load after upgrade to Ventura 13.1 (22C65)

chtzvt opened this issue 2 years ago · 2 comments

As of the most recent macOS update (to Ventura 13.1 (22C65)), I've experienced the following issue with libykcs11 being loaded by openssh:

🂁 charlton@phainopepla ~/Documents $ git clone git@github.com:TampaDevs/jobsyn.git
Cloning into 'jobsyn'...
dlopen /usr/local/lib/libykcs11.2.3.0.dylib failed: dlopen(/usr/local/lib/libykcs11.2.3.0.dylib, 0x0002): Library not loaded: @rpath/libykpiv.2.dylib
  Referenced from: <9DC8FEC9-CE74-3412-9D9D-565EB06DC85E> /usr/local/lib/libykcs11.2.3.0.dylib
  Reason: tried: '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS@rpath/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file),
Load key "/Users/charlton/.ssh/id_yk5n_024.pub": invalid format
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

This behavior is consistent across both of my machines with the same configuration present:

$ cat ~/.ssh/config
Host *
  IgnoreUnknown UseKeychain
  UseKeychain yes
  AddKeysToAgent yes
#  PKCS11Provider /usr/lib/x86_64-linux-gnu/libykcs11.so
  PKCS11Provider /usr/local/lib/libykcs11.2.3.0.dylib
  PKCS11Provider /usr/lib/ssh-keychain.dylib
  IdentitiesOnly yes
  IdentityFile /Users/charlton/.ssh/id_yk5n_024.pub
  ForwardAgent no
  ForwardX11 no

The issue appears to be related to the version of libykpiv.2.dylib provided by this library. On both of my systems, only version 2.3.1 of libykcs11 is present in /opt/homebrew/Cellar/yubico-piv-tool/, even after reinstalling yubikey-agent and yubico-piv-tool with brew.

I temporarily resolved the issue by creating a symlink from 2.3.1 to 2.3.0:

ln -s /opt/homebrew/Cellar/yubico-piv-tool/2.3.1 /opt/homebrew/Cellar/yubico-piv-tool/2.3.0

Answer 1 · 2023-02-20T14:27:42.000Z

Why not point out the newer version in your .ssh/config

Answer 2 · 2023-02-20T17:57:34.000Z

Closing this issue with a bit of background:

Until a recent update to openssh on macOS, ssh-agent would reject any configuration where dylibs would load from non-whitelisted directories. This was one of the issues underlying #387, and the reason I ended up copying libykcs11 to /usr/local/lib in the first place.

Apparently, it's now possible to load /opt/homebrew/lib/libykcs11.dylib directly as a PKCS11Provider in my ~/.ssh/config, so this is no longer a problem 😄