[Bug 3899] New: ssh-pkcs11-helper fails to prompt for PIN when PKCS#11 token requires authentication

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Nov 30 02:12:51 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3899

            Bug ID: 3899
           Summary: ssh-pkcs11-helper fails to prompt for PIN when PKCS#11
                    token requires authentication
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: marino at marino-johnson.org

When using ssh -I with a PKCS#11 provider that requires PIN
authentication, ssh-pkcs11-helper fails to prompt for the PIN and
returns no keys. The helper initializes with interactive = 0 even when
the token reports pin required.
Steps to reproduce:

Insert YubiKey with PIV credentials configured
Run: ssh -vvv -o IdentityAgent=none -o IdentityFile=none -I
/opt/homebrew/lib/libykcs11.dylib user at host

Expected behavior:
User is prompted for PIV PIN, keys are loaded, authentication proceeds.
Actual behavior:
No PIN prompt appears. Debug output shows:
debug3: pkcs11_init: called, interactive = 0
debug1: provider /opt/homebrew/lib/libykcs11.dylib slot 0: label
<YubiKey PIV #xxxxx> ... flags 0x40d
pin required
debug1: pkcs11_add_provider: provider /opt/homebrew/lib/libykcs11.dylib
returned no keys
The helper sees pin required but with interactive = 0, it cannot prompt
and returns zero keys.
Affected PKCS#11 providers:

/opt/homebrew/lib/libykcs11.dylib (Yubico PIV library 2.7.2)
/opt/homebrew/lib/opensc-pkcs11.so (OpenSC 0.26)
/usr/lib/ssh-keychain.dylib (macOS Keychain)

Workaround:
macOS's native /usr/bin/ssh uses ssh-apple-pkcs11 which handles PIN
prompts correctly:
debug1: PKCS11Provider set, reexec to ssh-apple-pkcs11 so we can clear
LV
debug2: pkcs11_fetch_keys: provider /usr/lib/ssh-keychain.dylib slot 0:
RSA SHA256:xxx
Using macOS native SSH with a clean PATH works:
bashPATH=/usr/bin:/bin:/usr/sbin:/sbin /usr/bin/ssh -o
IdentityAgent=none -o IdentityFile=none -I /usr/lib/ssh-keychain.dylib
user at host
Enter PIN for 'Key For PIV Authentication': 
[successfully authenticates]
Additional observations:

ssh-add -s /path/to/pkcs11.so also fails with "agent refused operation"
even when using ssh-agent -P to whitelist the provider
pkcs11-tool --module /opt/homebrew/lib/libykcs11.dylib -l -t
successfully prompts for PIN and accesses keys, confirming the token
and PIN work correctly
ssh-keygen -D /opt/homebrew/lib/libykcs11.dylib extracts public keys
successfully (no PIN required for public keys)

Environment:

OpenSSH_10.2p1, OpenSSL 3.6.0
macOS 15.1 (Sequoia), Darwin Kernel 25.1.0
YubiKey 5 NFC, firmware 5.2.4 and 5.1.2 tested
Homebrew openssh 10.2p1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list