On Wed, Oct 08, 2025 at 06:29:15PM -0500, S R Wright wrote:
When attempting to read a smart card via
PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
the following error is seen in the trace:
debug1: pkcs11_start_helper: starting
/usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20
libraryDescription <OpenSC smartcard framework> libraryVersion 0.26
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <PIV_II> manufacturerID <piv_II> model <PKCS#15 emulated> serial
<3412b080a610d7e8> flags 0x40d
pin required
debug1: pkcs11_provider_finalize: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
Note the line "pin required"; however at no time does a prompt for a
PIN occur.
This looks similar to
https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-October/042192.html,
and in a reply to that Damien suggested a patch which I'm about to
cherry-pick for a different reason
(https://bugzilla.mindrot.org/show_bug.cgi?id=3877). Could you please
test 1:10.1p1-2 when it's available and let us know if that works
better?
Thanks,
--
Colin Watson (he/him) [[email protected]]
