Bug#1117720: ssh: not enumerating pkcs11 keys, fails with "pin required"
Package: openssh-client
Version: 1:10.1p1-2
Severity: normal
Hi,
ssh has lost its ability to use smartcard keys. This is the relevant part of a
'ssh -vvv' with 10.0 (slightly redacted):
=====
debug1: OpenSSH_10.0p2 Debian-8, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> manufacturerID <...> model <...> serial <...>
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 2 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 3 keys
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f5260 ptr 0x55cd933f4f00 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f60b0 ptr 0x55cd933f4f60 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
[...]
=====
And this is the same part with 10.1:
=====
debug1: OpenSSH_10.1p1 Debian-2, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: pkcs11_start_helper: starting /usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> manufacturerID <...> model <...> serial <...>
pin required
debug1: pkcs11_provider_finalize: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
debug1: read eof
[...]
=====
I don't know why logging into the card isn't deferred until actual key usage
as it was in 10.0. It also doesn't matter whether I have an agent running and
whether the keys have been added to the agent beforehand or not.
Thanks
Jan
--
Reply to: