Bug#1117720: ssh: not enumerating pkcs11 keys, fails with "pin required"

Fri, 17 Oct 2025 01:22:47 -0700 

Package: openssh-client
Version: 1:10.1p1-2
Severity: normal

Hi,

ssh has lost its ability to use smartcard keys. This is the relevant part of a
'ssh -vvv' with 10.0 (slightly redacted):
 
=====
debug1: OpenSSH_10.0p2 Debian-8, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf 
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID 
<OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard 
framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> 
manufacturerID <...> model <...> serial <...>
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
slot 0: RSA SHA256:...
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
slot 0: RSA SHA256:...
debug1: have 2 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
slot 0: RSA SHA256:...
debug1: have 3 keys
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f5260 ptr 0x55cd933f4f00 idx 1
debug1: pkcs11_provider_unref: provider 
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 
slot 0: RSA SHA256:...
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55cd933f60b0 ptr 0x55cd933f4f60 idx 1
debug1: pkcs11_provider_unref: provider 
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 4
[...]
=====

And this is the same part with 10.1:

=====
debug1: OpenSSH_10.1p1 Debian-2, OpenSSL 3.5.4 30 Sep 2025
debug1: Reading configuration data /home/jan/.ssh/config
debug1: /home/jan/.ssh/config line 1: Applying options for *
debug1: /home/jan/.ssh/config line 8: Applying options for TARGET_HOSTNAME
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf 
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "TARGET_HOSTNAME" port 22
debug1: Connecting to TARGET_HOSTNAME [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: pkcs11_start_helper: starting /usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID 
<OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard 
framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <...> 
manufacturerID <...> model <...> serial <...>
pin required
debug1: pkcs11_provider_finalize: provider 
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider 
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider 
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
debug1: read eof
[...]
=====

I don't know why logging into the card isn't deferred until actual key usage
as it was in 10.0. It also doesn't matter whether I have an agent running and
whether the keys have been added to the agent beforehand or not.
 
Thanks

Jan
--

Reply via email to