[bug] "failed to fetch key" messages when libykcs11 is both in ssh-agent and PKCS11Provider

Sat, 04 Oct 2025 19:07:27 -0700 

Hello,
Since OpenBSD 7.8-CURRENT, configuring libykcs11 for use both with and without ssh-agent, e.g. 

> cat ~/.ssh/config
PKCS11Provider /usr/local/lib/libykcs11.so.1.1
> ssh-add -s/usr/local/lib/libykcs11.so.1.1


causes three "failed to fetch key" messages to appear when connecting to 
a host:

> ssh target
failed to fetch key
failed to fetch key
failed to fetch key


This setup is useful when using several different yubikeys, some not 
being registered with ssh-agent.


The messages are a mere inconvenience, the connection proceeds normally.

The -v flag shows more information:
debug1: OpenSSH_10.0, LibreSSL 4.2.0
debug1: Reading configuration data /home/sb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to target [192.168.1.1] port 22.
debug1: Connection established.

debug1: provider /usr/local/lib/libykcs11.so.1.1: manufacturerID <Yubico 
(www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV 
Library (SP-800-73)> libraryVersion 2.71
debug1: provider /usr/local/lib/libykcs11.so.1.1 slot 0: label <YubiKey 
PIV #xxxx> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> 
serial <xxxx> flags 0x40d
debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01

debug1: have 1 keys

debug1: pkcs11_record_key: RSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19

debug1: have 2 keys

debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01

failed to fetch key

debug1: pkcs11_record_key: RSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19

failed to fetch key

debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01

failed to fetch key

Regards,
Sébastien















    











					Reply via email to