Bug#1117638: openssh-client 10.1p1-1 fails to read smart card

[Colin Watson <cjwatson@debian.org>]

On Wed, Oct 08, 2025 at 06:29:15PM -0500, S R Wright wrote:
> When attempting to read a smart card via
>
>          PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>
> the following error is seen in the trace:
>
> debug1: pkcs11_start_helper: starting 
> /usr/lib/openssh/ssh-pkcs11-helper -vvv
> debug3: pkcs11_init: called, interactive = 0
> debug1: process_add
> debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
> debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: 
> manufacturerID <OpenSC Project> cryptokiVersion 2.20 
> libraryDescription <OpenSC smartcard framework> libraryVersion 0.26
> debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: 
> label <PIV_II> manufacturerID <piv_II> model <PKCS#15 emulated> serial 
> <3412b080a610d7e8> flags 0x40d
> pin required
> debug1: pkcs11_provider_finalize: provider 
> "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
> debug1: pkcs11_provider_unref: provider 
> "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
> debug1: pkcs11_add_provider: provider 
> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
> debug1: pkcs11_add_provider: no keys; terminate helper
>
> Note the line "pin required";  however at no time does a prompt for a 
> PIN occur.

This looks similar to 
https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-October/042192.html, 
and in a reply to that Damien suggested a patch which I'm about to 
cherry-pick for a different reason 
(https://bugzilla.mindrot.org/show_bug.cgi?id=3877).  Could you please 
test 1:10.1p1-2 when it's available and let us know if that works 
better?

Thanks,

--
Colin Watson (he/him)                              [cjwatson@debian.org]