[Bug 3964] New: "Unable to load host key" message when using a PKCS#11 based HostKey via SSH-agent

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon May 18 21:42:22 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3964

            Bug ID: 3964
           Summary: "Unable to load host key" message when using a PKCS#11
                    based HostKey via SSH-agent
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ifranzki at linux.ibm.com

I am using a PKCS11 based hostkey for SSHD.
I am starting an ssh-agent on the host, then add the PKCS#11 provider
and its key via 'ssh-add -s /path/to/pkcs11-provider' (one EC P-256 key
gets added). Then I create the public SSH key from it using 'ssh-keygen
-D /path/to/pkcs11-provider > /path/to/ssh_host_pkcs11_key.pub'. 

Then I edit the SSHD config file as follows:

  HostKey /path/to/ssh_host_pkcs11_key.pub
  HostKeyAgent SSH_AUTH_SOCK

So the key specified with HostKey is a public key, and not a private
key.
Environment variable SSH_AUTH_SOCK is set to the agent socket address.

When staring sshd, I get 'Unable to load host key
"/path/to/ssh_host_pkcs11_key.pub": error in libcrypto'. However,
processing continues and sshd is finally up fine. 

Turning on debug (-d option) shows that it recognizes the agent key
later on: 

   debug1: will rely on agent for hostkey
/path/to/ssh_host_pkcs11_key.pub
   debug1: agent host key #0: ecdsa-sha2-nistp256 SHA256:<fingerprint>

So its not a functional problem, but the error message 'Unable to load
host key "/path/to/ssh_host_pkcs11_key.pub": error in libcrypto' is
confusing.

The doc at https://man.openbsd.org/sshd_config#HostKey states "It is
also possible to specify public host key files instead. In this case
operations on the private key will be delegated to an ssh-agent(1).".
So it seems legit to specify a public key here when an agent based host
key is used. 

Would it be possible to omit the error message in such cases? 

The attempt to load the host key is here:
https://github.com/openssh/openssh-portable/blob/cf6c0b3b94cdc223f1b8be1ef2d93e993af5d976/sshd.c#L1593

Slightly further down it can deal with the situation that its a public
key with an agent:
https://github.com/openssh/openssh-portable/blob/cf6c0b3b94cdc223f1b8be1ef2d93e993af5d976/sshd.c#L1637

Couldn't the error message for the private key load only be issued when
there is no agent and the public key couldn't be loaded as well?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list