-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The smart card cannot peform the requested operation or the operation requires a different smart card #65
Comments
Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!! |
Yeah, I have the same issue here (and the same compliements as @dniasoff ) |
Sorry for the delay in responding.
I am trying to reproduce the issue but so far I haven't been able to.
Not using SSH much right now. Beforehand this issue bothered me 10 times a
day.
…On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky ***@***.***> wrote:
do you also get this when executing certutil.exe -scinfo?
—
Reply to this email directly, view it on GitHub
<#65 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
For some reason, the issue hasn't happened the last couple of days
But this is what I see when I run the above command
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset
…--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = c5cebbe6-d351-5d07-1043-66af425fc105
Serial Number: 69cf2c183e230992349829ee7ecf97106f8403b9
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): cea5b5882977a03c3e44a86ff420b1edac59c118
Performing public key matching test...
Public key matching test succeeded
Key Container = c5cebbe6-d351-5d07-1043-66af425fc105
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
0x1 (1)
KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Serial: 69cf2c183e230992349829ee7ecf97106f8403b9
Cert: cea5b5882977a03c3e44a86ff420b1edac59c118
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: cea5b5882977a03c3e44a86ff420b1edac59c118
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Serial: 69cf2c183e230992349829ee7ecf97106f8403b9
Cert: cea5b5882977a03c3e44a86ff420b1edac59c118
A certificate chain processed, but terminated in a root certificate which
is not trusted by the trust provider. 0x800b0109 (-2146762487
CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed cert for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Thanks
Daniel
On Tue, 25 Jan 2022 at 14:11, Daniel Niasoff ***@***.***> wrote:
Sorry for the delay in responding.
I am trying to reproduce the issue but so far I haven't been able to.
Not using SSH much right now. Beforehand this issue bothered me 10 times a
day.
On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky <
***@***.***> wrote:
> do you also get this when executing certutil.exe -scinfo?
>
> —
> Reply to this email directly, view it on GitHub
> <#65 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
This is my output from the above command
And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error |
yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved. |
@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically. Happy to help in any way I can but I don't write in go currently |
I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting. |
I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up. Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business. I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time) |
This is probably similar to #12
But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.
I keep deleting the invalid certs from my user certificate store but they magically reappear???
The text was updated successfully, but these errors were encountered: