The smart card cannot peform the requested operation or the operation requires a different smart card #65
Comments
|
Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!! |
|
Yeah, I have the same issue here (and the same compliements as @dniasoff ) |
|
do you also get this when executing Judging from your screenshot you are on windows 11 as well as me.
|
|
Sorry for the delay in responding.
I am trying to reproduce the issue but so far I haven't been able to.
Not using SSH much right now. Beforehand this issue bothered me 10 times a
day.
…On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky ***@***.***> wrote:
do you also get this when executing certutil.exe -scinfo?
—
Reply to this email directly, view it on GitHub
<#65 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
For some reason, the issue hasn't happened the last couple of days
But this is what I see when I run the above command
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset
…--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = c5cebbe6-d351-5d07-1043-66af425fc105
Serial Number: 69cf2c183e230992349829ee7ecf97106f8403b9
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): cea5b5882977a03c3e44a86ff420b1edac59c118
Performing public key matching test...
Public key matching test succeeded
Key Container = c5cebbe6-d351-5d07-1043-66af425fc105
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
0x1 (1)
KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Serial: 69cf2c183e230992349829ee7ecf97106f8403b9
Cert: cea5b5882977a03c3e44a86ff420b1edac59c118
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: cea5b5882977a03c3e44a86ff420b1edac59c118
Issuer: ***@***.***_desktop
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: ***@***.***_desktop
Serial: 69cf2c183e230992349829ee7ecf97106f8403b9
Cert: cea5b5882977a03c3e44a86ff420b1edac59c118
A certificate chain processed, but terminated in a root certificate which
is not trusted by the trust provider. 0x800b0109 (-2146762487
CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed cert for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Thanks
Daniel
On Tue, 25 Jan 2022 at 14:11, Daniel Niasoff ***@***.***> wrote:
Sorry for the delay in responding.
I am trying to reproduce the issue but so far I haven't been able to.
Not using SSH much right now. Beforehand this issue bothered me 10 times a
day.
On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky <
***@***.***> wrote:
> do you also get this when executing certutil.exe -scinfo?
>
> —
> Reply to this email directly, view it on GitHub
> <#65 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
This is my output from the above command And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error
|
|
Getting it every time I use it and would love a fix pleeeeeease this is what I see on certinfo |
|
yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved. |
|
@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically. Happy to help in any way I can but I don't write in go currently |
|
I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting. |
|
I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up. Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this
Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business. I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time) |
This is probably similar to #12
But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.
I keep deleting the invalid certs from my user certificate store but they magically reappear???
The text was updated successfully, but these errors were encountered: