[Bug 295336] openssh: pkcs11 is broken in new version (10.3p1)

Sat, 16 May 2026 10:09:22 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295336

            Bug ID: 295336
           Summary: openssh: pkcs11 is broken in new version (10.3p1)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 270791
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=270791&action=edit
patch

Hi

All of my pkcs11 libraries are broken after
2574974648c68c738aec3ff96644d888d7913a37 (D56999).
See:
https://github.com/openssh/openssh-portable/commit/3ca274e44cb2c2351376fc14e4c3e92ba4a8f87b

```
% ssh-agent -d -a /tmp/agent.socket
SSH_AUTH_SOCK=/tmp/agent.socket; export SSH_AUTH_SOCK;
echo Agent pid 15732;
...
debug3: process_add: add /usr/local/lib/libpcsclite.so.1
lib_contains_symbol: nlist failed for /usr/local/lib/libpcsclite.so.1
provider /usr/local/lib/libpcsclite.so.1 is not a PKCS11 library
debug3: pkcs11_add_provider: response 5
debug1: pkcs11_add_provider: no keys; terminate helper
debug3: helper_terminate: terminating helper for
/usr/local/lib/libpcsclite.so.1; remaining 0 keys
```
Same for opensc and libykcs11.so (yubikey):

```
debug3: process_add: add /usr/local/lib/libykcs11.so.2.7.2
lib_contains_symbol: nlist failed for /usr/local/lib/libykcs11.so.2.7.2
provider /usr/local/lib/libykcs11.so.2.7.2 is not a PKCS11 library
debug3: pkcs11_add_provider: response 5
debug1: pkcs11_add_provider: no keys; terminate helper
```

After reverting 3ca274e in openssh by the patch attached:

```
debug3: pkcs11_start_helper: helper 1 for "/usr/local/lib/libykcs11.so.2.7.2"
on fd 6 pid 61042
debug3: pkcs11_add_provider: add /usr/local/lib/libykcs11.so.2.7.2
debug1: pkcs11_start_helper: starting /usr/local/libexec/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/local/lib/libykcs11.so.2.7.2
debug1: provider /usr/local/lib/libykcs11.so.2.7.2: manufacturerID <Yubico
(www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library
(SP-800-73)> libraryVersion 2.72
```

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to