Why still no PKCS#11 ECC key support in OpenSSH ?

Bob Smith b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch
Mon Aug 13 07:22:38 AEST 2018


Hi,

I was trying to get OpenSSH portable working with my Yubikey.  A key was present on the token but generated using the ECCP384 algorithm.

This lead to many obscure goose-chase red-herring error messages from OpenSSH such as the delightful "Could not add card : agent refused operation" or other nonsense that was meaningless and unhelpful.

Many hours later in Mr Google's company, I eventually found this website https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/ , which points to this https://bugzilla.mindrot.org/show_bug.cgi?id=2474 . Which basically says that despite many patches, support for ECC has never been incorporated into OpenSSH PKCS#11.

And indeed this was the underlying cause. I deleted the ECC key, generated an RSA one, and it worked.

So, I have two questions:

(1) Why has this ECC thing been ongoing since 2015 and yet, despite the passage of weeks, months and years, nobody has yet pulled any of the patches into the OpenSSH codebase ?

(2) If you don't want ECC in the codebase, which appears to clearly be the case, can you at least generate some more sensible error messages that say "look, we only accept RSA keys, ok chum ?".   That would save people like me many hours of wasted time caused by your political or other reasons for being stubborn and not including ECC support.

Sorry for the tone of this message, but I've had a rather frustrating waste of a day due the issues outlined.

Bob


More information about the openssh-unix-dev mailing list