Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

Peter Stuge peter at
Mon Apr 6 04:12:26 AEST 2020

Note I'm no maintainer here, just someone on the list.

Jacob Hoffman-Andrews wrote:
> I think the best fix here is to treat "provider already exists" as a
> non-error.

This seems logically OK to me.

> There is no need to unload providers when they become unused

I disagree with this for reasons already mentioned, and

> because it is uncommon to have more than one provider on any given system.

It may be uncommon, but that is no reason to make it impossible!

> Also, a user is likely to reuse a provider they have previously used.

Disagree again - consider an interactive session, where a user logs
in, performs a system update of either ssh-agent, p11, or both, and
then wants to use the newer versions.

The scope of the ssh-agent is the user's session. The scope of the
p11 is the loaded provider in the agent. It's simply ugly to force
the user to restart the agent process if she really only wants to
replace the p11.

Jacob Hoffman-Andrews wrote:
> Indeed, `ssh-add -e` does fix this issue for me on the latest release
> I realized there's a similar problem with the `-d` flag: If you delete
> an identity backed by a PKCS#11 device, it will remove the identity
> and report success but not remove the provider.

Intuitively I would expect -d (and -D) to remove the provider when the
last key from that provider is removed.

> Is it desirable in the future to have multiple identities offered by the
> same provider?

I for one would like that to work.

> For instance, multiple instances of the same smartcard reader?

Sure. Or a device making more than one key available through the same
interface, thus controlled by one (and only one) provider.

> If so, we would need to have some facility to keep track of already-loaded
> providers and reuse them, as well as do reference counting for removed
> identities.

I think this would make sense.

> That's why I was suggesting it would be more straightforward
> to never unload providers (or in other words, require a restart of
> ssh-agent if user requires that provider to be non-resident,

Again, I disagree strongly with forcing this onto us users. Consider a
system where an agent also has many other, unrelated keys. It would be
really painful and annoying to ditch all that other setup just because
some p11 provider needs to be reloaded. Windows does still get away
with requiring a reboot now and then, but let's not copy that pattern
if we can avoid it in any way.


More information about the openssh-unix-dev mailing list