Bug#1117638: Bug#1117720: Bug#1117638: openssh-client 10.1p1-1 fails to read smart card

[Colin Watson <cjwatson@debian.org>]

On Fri, Oct 10, 2025 at 04:36:40PM -0500, S R Wright wrote:
> On 10/10/25 10:27, Jan Nordholz wrote:
> > just grabbed 10.2p1-1 from incoming. No change in behavior, enumeration of
> > pkcs11 keys fails with "pin required" as it did with 10.1p1-2, only having
> > the keys added to the agent makes the connection succeed.
>
> I can confirm what Jan has observed, no change. It still does not 
> prompt for a pin.
>
> debug1: pkcs11_start_helper: starting 
> /usr/lib/openssh/ssh-pkcs11-helper -vvv
> debug3: pkcs11_init: called, interactive = 0
> debug1: process_add
> debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
> debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: 
> manufacturerID <OpenSC Project> cryptokiVersion 2.20 
> libraryDescription <OpenSC smartcard framework> libraryVersion 0.26
> debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: 
> label <PIV_II> manufacturerID <piv_II> model <PKCS#15 emulated> serial 
> <3412b080a610d7e8> flags 0x40d
> pin required
> debug1: pkcs11_provider_finalize: provider 
> "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
> debug1: pkcs11_provider_unref: provider 
> "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
> debug1: pkcs11_add_provider: provider 
> /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
> debug1: pkcs11_add_provider: no keys; terminate helper
> debug1: read eof

Thanks for checking.  I think it would be best if one of you could file 
a bug directly with upstream 
(https://bugzilla.mindrot.org/enter_bug.cgi, requires login).  We're not 
applying any PKCS#11-related patches in Debian at the moment, and 
upstream would be best-placed to debug this.  I'm happy to cherry-pick 
patches as needed, perhaps even experimentally via a branch.

--
Colin Watson (he/him)                              [cjwatson@debian.org]