PKCS11 dll does not load after restart

[vincococka]

Hi all,

I've configured SecureCRT to use PKCS11 libykcs11-1.dll to read Yubikey 5 smartcard. So far so good - authentication works fine.

But - after I close SecureCRT, and run it again it warns me before connecting to the server that libykcs11-1.dll can't be found - even while it is still in the path and permissions are not changed in the meantime.

Do I need to always instruct SecureCRT to load particular PKCS11 DLL when I start the application via Options->Global options->SSH2->Use a certificate from your personal...?

[bgagnon]

Hi vincococka,

• What version of SecureCRT are you using?
  
• On what specific OS/platform?

Quote:

I've configured SecureCRT to use PKCS11 libykcs11-1.dll to read Yubikey 5 smartcard. So far so good - authentication works fine.

How did you configure SecureCRT for PKCS11 auth?

[vincococka]

Hello,

I'm using:
- SecureCRT version 8.7.2 x64 build 2214 Official Release 14. May 2020
- Platform: Windows 10 Professional 1809 + update KB4551853 from 12 May 2020

I configured SecureCRT via:
Options -> Global Options -> SSH2 -> "Use a certificate from you personal CAPI sotre or a PKCS #11 provider DLL"
- I've chosen PKCS #11 in ComboBox, picked up DLL in path and tried to select "Certificate to use" via 3dots button.

This worked perfectly fine.
But when I close the application and later start it up, then SecureCRT is not able to use previously configured DLL and I need to repeat DLL selection via Global Option -> SSH2 dialog to make YubiKey smartcard available.

[bgagnon]

Hi vincococka,

Quote:

But when I close the application and later start it up, then SecureCRT is not able to use previously configured DLL and I need to repeat DLL selection via Global Option -> SSH2 dialog to make YubiKey smartcard available.

So when this occurs, there is no error?

And when you drill back in to where configured, the configured path to the DLL is missing?

Are you sure you have write permissions to the config folder?

[vincococka]

Hi,

the error occurs after I start SecureCRT (after Windows reboot) and it shows following error (please ignore the path in image, I've played little bit with it).

Then I need to configure path to DLL again (which is in SSH2 dialog predefined because it was correctly red from config file during start), and after I've chosen same DLL in same path it starts to read my YubiKey again upon connection.

Regarding permissions to config files - I think that this is absolutely no problem as I just installed SecureCRT and never touched the folder in AppData\Roaming\VanDyke\Config.
Also files content is changing when I reconfigure something.

I have also tried to turn off realtime protection inside Windows internal antivirus - but no change, same behaviour.

You can simulate it even without having yubikey:
1, install from the site bottom YubiKey PIV TOOL command line from https://www.yubico.com/products/serv...drivers-tools/
2, point SecureCRT via SSH2->PKCS11 to DLL in <YUBIKEY_PIV_INSTALLDIR>\bin\libykcs11-1.dll
3, close the application
4, start application
5, connect to any server via SSH ... and there we are - SecureCRT cant find DLL that previously worked allright without any problem

Greets,
J.

[bgagnon]

Hi vincococka,

Thanks for the clarification.

I have submitted this behavior for investigation by the development team. Should progress be made toward a resolution, or further information be requested, I will post in this thread.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Bug Report - Forum Thread #14196" in the subject line.

[bgagnon]

Hi vincococka,

My manager went through the steps while capturing a Process Monitor log and found that the DLL is attempting to load other DLLs (e.g. libykpiv-1.dll). If the YubiKey Management Tool (non CLI) isn't installed, then this DLL isn't available in the PATH environment variable, and the PKCS #11 DLL cannot find its companion/dependent DLL for loading.

I've turned the bug report into a feature request to be more compatible with this situation, but as a workaround in the meantime, one solution would be to add that folder where the libykpiv-1.dll and libykcs11-1.dll files live to your system PATH environment variable so that the sibling DLL can be found when the PKCS #11 DLL is loaded.

The reason why it works when you browse to the DLL file again, is that action causes SecureCRT's working directory to change, thereby facilitating the YubiKey PKCS#11 DLL's ability to load its companion DLL file (libykpiv-1.dll).

[vincococka]

Thanks a lot for help.

Most probably it will be sufficient to append configured PKCS11 dll directory to search list via SetDllDirectory WinAPI.

[vincococka]

May I kindly ask you if we have any update on this issue, so user is not forced into Windows PATH variable reconfiguration?

[bgagnon]

Hi vincococka,

It's still an open feature request. Feature requests are typically prioritized based on a number of factors including, but not limited to, the number of requests and the amount of implementation work required.

Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct email notification, send an email to support@vandyke.com and include Feature Request - Forum Thread #14196 in the subject line or use this form from the support page of our website.