Bug#1117720: marked as done (ssh: not enumerating pkcs11 keys, fails with "pin required")

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#1117720: marked as done (ssh: not enumerating pkcs11 keys, fails with "pin required")
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 17 Oct 2025 09:55:05 +0000
Message-id: <[🔎] handler.1117720.D1117720.17606948622293118.ackdone@bugs.debian.org>
Reply-to: 1117720@bugs.debian.org
References: <E1v9hAA-006DGS-2R@fasolo.debian.org> <[🔎] aOi95fDndNW29OJM@p53>

Your message dated Fri, 17 Oct 2025 09:54:18 +0000
with message-id <E1v9hAA-006DGS-2R@fasolo.debian.org>
and subject line Bug#1117720: fixed in openssh 1:10.2p1-2
has caused the Debian Bug report #1117720,
regarding ssh: not enumerating pkcs11 keys, fails with "pin required"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1117720: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117720
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: ssh: not enumerating pkcs11 keys, fails with "pin required"
From: Jan Nordholz <jan.nordholz@mail.de>
Date: Fri, 10 Oct 2025 10:03:49 +0200
Message-id: <[🔎] aOi95fDndNW29OJM@p53>

Package: openssh-client
Version: 1:10.1p1-2
Severity: normal

Hi,

ssh has lost its ability to use smartcard keys. This is the relevant part of a
'ssh -vvv' with 10.0 (slightly redacted):
 
=====
debug1: OpenSSH_10.0p2 Debian-8, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> manufacturerID <...> model <...> serial <...>
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 2 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 3 keys
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f5260 ptr 0x55cd933f4f00 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f60b0 ptr 0x55cd933f4f60 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
[...]
=====

And this is the same part with 10.1:

=====
debug1: OpenSSH_10.1p1 Debian-2, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: pkcs11_start_helper: starting /usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> manufacturerID <...> model <...> serial <...>
pin required
debug1: pkcs11_provider_finalize: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
debug1: read eof
[...]
=====

I don't know why logging into the card isn't deferred until actual key usage
as it was in 10.0. It also doesn't matter whether I have an agent running and
whether the keys have been added to the agent beforehand or not.
 
Thanks

Jan
--

--- End Message ---

--- Begin Message ---

To: 1117720-close@bugs.debian.org
Subject: Bug#1117720: fixed in openssh 1:10.2p1-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 17 Oct 2025 09:54:18 +0000
Message-id: <E1v9hAA-006DGS-2R@fasolo.debian.org>
Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.2p1-2
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1117720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Oct 2025 10:14:14 +0100
Source: openssh
Architecture: source
Version: 1:10.2p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1117638 1117720 1117965
Changes:
 openssh (1:10.2p1-2) unstable; urgency=medium
 .
   * ssh-session-cleanup: Update pattern for sshd-session split in 9.8
     (closes: #1117965).
   * Link ssh against ssh-pkcs11.o directly (closes: #1117638, #1117720).
Checksums-Sha1:
 ca7eeaf605b6520d163ca685880a893e5a08cc6b 3654 openssh_10.2p1-2.dsc
 541cb6e55d2faec6ad25b8aa8bb2c461558b0172 199728 openssh_10.2p1-2.debian.tar.xz
 d388245588eefc95dc5d683ffc12161128f63b9d 5336648 openssh_10.2p1-2.git.tar.xz
 e05a86ea4b91283abc04718a283bb99b90831a55 18224 openssh_10.2p1-2_source.buildinfo
Checksums-Sha256:
 cee74054995719d1e59d6bd2ca548b36f16ca48e7f7cddcc088e8ac9ab86d074 3654 openssh_10.2p1-2.dsc
 7f44d9ce2475a854b2caa664e335341f5e7f114bf9b6c141d755f08ea3f39839 199728 openssh_10.2p1-2.debian.tar.xz
 97af83d0c6a736dc455cdbada662b8886aa4b14455badc31bbcc251454c2f416 5336648 openssh_10.2p1-2.git.tar.xz
 880e4551a8d295e2c43aa41e2617784555eac59c732cd6b904b974f043875e15 18224 openssh_10.2p1-2_source.buildinfo
Files:
 c0d50a3a3b0921a98464aac126ac2b2e 3654 net standard openssh_10.2p1-2.dsc
 a8f03a957b696831d1e17a1a4dc6f957 199728 net standard openssh_10.2p1-2.debian.tar.xz
 b56ca806b2fe656403eff152c6f36b2d 5336648 net standard openssh_10.2p1-2.git.tar.xz
 b7de3b93b1bc6abb540f7924e6b1d1d5 18224 net standard openssh_10.2p1-2_source.buildinfo
Git-Tag-Info: tag=152114972cdd2035b82b69564ebac8d821072a82 fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <cjwatson@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmjyCigACgkQYG0ITkaD
wHlX2w//YW30NI2fiUs8sfIBjGFQKsrqo3a3t21jAKsJ0TXTRTIRB/j2qpUFWkw/
vPNfm3oc8B1IqHMbBbDo42W8XFhyYnM88KSFUaHYre0zT88P544gn6IVXeIzu+84
TD68aCf/nIX7L/JaZKLt/WnptMWEBoaGy3QHCi1GagE9DDq4tmRqiJNFYOiNoMIW
6TjUB7y8xTtJ9aeq0aXUhfjjrnf5ZE1crqi9pXdYWK3Ajf1Ky/WfVvfR8bFwcSYF
Pa/od3THN2M6rZPetID6Ykx1Y0kneTiOx87xFpyJo6UPl40Pyzn7SKQ7eCXszC7G
c2RUu+gkGQliWDyKCo181KadlScUdgX3wq8BRP8uCAvbmSVntHpUFsQJJISy4TTX
I2sHU2+HOfUrXFXYotTBiviW+2V/2CdZyLpL90oK9wxCQG2rwEPJ/FwMo9zv8hVl
jvNLVIdMhHtqCDnf2xgfOr+5jeRU2OxGhvuerxknjxdo7sagCX+hQjLEuAAQSnoo
VImbbAcZMlAbaiGP89KtLzL+zDOFxMB78beomYPKWAWv0tEQsA+7+//GpVp5hx8n
oCqet9hFjOgJzrAmFWfzsdF1QAAR7H1fC8Mm3EmzXm1qN/k+Y1rdFIjwDNqAPByd
/dOyMtsozlLvoWEtTvV26K36JTBXIh6I7qFCB1otFsE6xAcSn4g=
=PJj0
-----END PGP SIGNATURE-----

Attachment: pgpAJssmv7wbP.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1117720: ssh: not enumerating pkcs11 keys, fails with "pin required"
  - From: Jan Nordholz <jan.nordholz@mail.de>

Prev by Date: Bug#1117638: marked as done (openssh-client 10.1p1-1 fails to read smart card)
Next by Date: Bug#1117638: marked as done (openssh-client 10.1p1-1 fails to read smart card)
Previous by thread: Bug#1117720: marked as pending in openssh
Next by thread: Bug#1117720: marked as done (ssh: not enumerating pkcs11 keys, fails with "pin required")
Index(es):
- Date
- Thread