[Bug 3879] New: ssh: pkcs11 key enumeration fails with "pin required"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Oct 13 11:06:55 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3879

            Bug ID: 3879
           Summary: ssh: pkcs11 key enumeration fails with "pin required"
           Product: Portable OpenSSH
           Version: 10.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jan.nordholz at mail.de

Created attachment 3911
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3911&action=edit
patch to pass interactive mode on to pkcs11 helper

Hi,

starting with 10.1p1, ssh uses ssh-pkcs11-helper, which means that
pkcs11_init() and pkcs11_add_provider() no longer directly go to the
implementations in ssh-pkcs11.c, but now reach the stubs in
ssh-pkcs11-client.c. There pkcs11_init() is a NOP, and
pkcs11_add_provider() is the proxy stub that forks off the helper
subprocess.

Now for regular interactive usage, ssh.c calls
pkcs11_init(!options.batch_mode) (which does nothing), and the
forked-off helper unconditionally calls pkcs11_init(0), meaning the
helper is always running in batch mode and refusing to enumerate the
smartcard keys. This is probably not what was intended - and frankly,
the duplication of function names didn't really help me traverse
this...

I've created a patch that plumbs through the "interactive" mode by
adding another command line parameter to the pkcs11 helper and by
expanding the pkcs11_init() stub in ssh-pkcs11-client.c to do the
necessary thing.

Jan

Log snippet with 10.0:
=====
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial <...>
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
=====

Log snippet with 10.1:
=====
debug1: Connection established.
debug1: pkcs11_start_helper: starting
/usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial <...>
pin required
debug1: pkcs11_provider_finalize: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
debug1: read eof
=====

10.2 with patch applied results in this:
=====
debug1: Connection established.
debug3: pkcs11_start_helper: start helper for
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug3: pkcs11_start_helper: helper 0 for
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" on fd 4 pid 32081
debug3: pkcs11_add_provider: add
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: pkcs11_start_helper: starting
/usr/lib/openssh/ssh-pkcs11-helper -vvv -i
debug3: pkcs11_init: called, interactive = 1
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial <...>
debug1: pkcs11_record_key: RSA key: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 00
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
=====

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list