Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 05-30-2020, 12:53 PM
vincococka vincococka is offline
Registered User
 
Join Date: May 2020
Posts: 4
Question PKCS11 dll does not load after restart

Hi all,

I've configured SecureCRT to use PKCS11 libykcs11-1.dll to read Yubikey 5 smartcard. So far so good - authentication works fine.

But - after I close SecureCRT, and run it again it warns me before connecting to the server that libykcs11-1.dll can't be found - even while it is still in the path and permissions are not changed in the meantime.

Do I need to always instruct SecureCRT to load particular PKCS11 DLL when I start the application via Options->Global options->SSH2->Use a certificate from your personal...?
Reply With Quote
  #2  
Old 05-30-2020, 02:42 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,322
Hi vincococka,
  • What version of SecureCRT are you using?
  • On what specific OS/platform?
Quote:
I've configured SecureCRT to use PKCS11 libykcs11-1.dll to read Yubikey 5 smartcard. So far so good - authentication works fine.
How did you configure SecureCRT for PKCS11 auth?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 05-31-2020, 03:12 AM
vincococka vincococka is offline
Registered User
 
Join Date: May 2020
Posts: 4
Hello,

I'm using:
- SecureCRT version 8.7.2 x64 build 2214 Official Release 14. May 2020
- Platform: Windows 10 Professional 1809 + update KB4551853 from 12 May 2020

I configured SecureCRT via:
Options -> Global Options -> SSH2 -> "Use a certificate from you personal CAPI sotre or a PKCS #11 provider DLL"
- I've chosen PKCS #11 in ComboBox, picked up DLL in path and tried to select "Certificate to use" via 3dots button.

This worked perfectly fine.
But when I close the application and later start it up, then SecureCRT is not able to use previously configured DLL and I need to repeat DLL selection via Global Option -> SSH2 dialog to make YubiKey smartcard available.
Reply With Quote
  #4  
Old 05-31-2020, 02:16 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,322
Hi vincococka,
Quote:
But when I close the application and later start it up, then SecureCRT is not able to use previously configured DLL and I need to repeat DLL selection via Global Option -> SSH2 dialog to make YubiKey smartcard available.
So when this occurs, there is no error?

And when you drill back in to where configured, the configured path to the DLL is missing?

Are you sure you have write permissions to the config folder?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 06-01-2020, 02:31 AM
vincococka vincococka is offline
Registered User
 
Join Date: May 2020
Posts: 4
Hi,

the error occurs after I start SecureCRT (after Windows reboot) and it shows following error (please ignore the path in image, I've played little bit with it).
Then I need to configure path to DLL again (which is in SSH2 dialog predefined because it was correctly red from config file during start), and after I've chosen same DLL in same path it starts to read my YubiKey again upon connection.

Regarding permissions to config files - I think that this is absolutely no problem as I just installed SecureCRT and never touched the folder in AppData\Roaming\VanDyke\Config.
Also files content is changing when I reconfigure something.

I have also tried to turn off realtime protection inside Windows internal antivirus - but no change, same behaviour.

You can simulate it even without having yubikey:
1, install from the site bottom YubiKey PIV TOOL command line from https://www.yubico.com/products/serv...drivers-tools/
2, point SecureCRT via SSH2->PKCS11 to DLL in <YUBIKEY_PIV_INSTALLDIR>\bin\libykcs11-1.dll
3, close the application
4, start application
5, connect to any server via SSH ... and there we are - SecureCRT cant find DLL that previously worked allright without any problem

Greets,
J.
Attached Images
File Type: png securecrt-boot-error-no-dll.png (44.5 KB, 67 views)

Last edited by jdev; 06-01-2020 at 07:12 AM. Reason: Don't use external file sharing sites. Click Manage Attachments, and upload your graphics.
Reply With Quote
  #6  
Old 06-01-2020, 08:33 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,322
Hi vincococka,

Thanks for the clarification.

I have submitted this behavior for investigation by the development team. Should progress be made toward a resolution, or further information be requested, I will post in this thread.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Bug Report - Forum Thread #14196" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 06-01-2020, 11:05 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,322
Hi vincococka,

My manager went through the steps while capturing a Process Monitor log and found that the DLL is attempting to load other DLLs (e.g. libykpiv-1.dll). If the YubiKey Management Tool (non CLI) isn't installed, then this DLL isn't available in the PATH environment variable, and the PKCS #11 DLL cannot find its companion/dependent DLL for loading.

I've turned the bug report into a feature request to be more compatible with this situation, but as a workaround in the meantime, one solution would be to add that folder where the libykpiv-1.dll and libykcs11-1.dll files live to your system PATH environment variable so that the sibling DLL can be found when the PKCS #11 DLL is loaded.

The reason why it works when you browse to the DLL file again, is that action causes SecureCRT's working directory to change, thereby facilitating the YubiKey PKCS#11 DLL's ability to load its companion DLL file (libykpiv-1.dll).
Attached Files
File Type: pdf ProcMon Usage - Gather debug info about a process.pdf (449.8 KB, 19 views)
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #8  
Old 06-02-2020, 09:57 AM
vincococka vincococka is offline
Registered User
 
Join Date: May 2020
Posts: 4
Thanks a lot for help.

Most probably it will be sufficient to append configured PKCS11 dll directory to search list via SetDllDirectory WinAPI.
Reply With Quote
Reply

Tags
pkcs11 , securecrt , yubikey


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 03:38 PM.