Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

Jacob Hoffman-Andrews jsha at
Tue Feb 25 07:41:02 AEDT 2020

On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen at> wrote:
> I think the problem here is that the -D switch is not smartcards aware.
> PKCS#11 modules should be removed using -e switch, which works fine to
> my testing.

Aha, thanks for pointing this flag out to me. I had missed it. Indeed,
`ssh-add -e` does fix this issue for me on the latest release (though on the
release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails).

I realized there's a similar problem with the `-d` flag: If you delete
an identity
backed by a PKCS#11 device, it will remove the identity and report success
but not remove the provider.

Is it desirable in the future to have multiple identities offered by the same
provider? For instance, multiple instances of the same smartcard reader?
If so, we would need to have some facility to keep track of already-loaded
providers and reuse them, as well as do reference counting for removed
identities. That's why I was suggesting it would be more straightforward
to never unload providers (or in other words, require a restart of ssh-agent
if user requires that provider to be non-resident, which I think is quite rare).

FWIW, I maintain a signing library in Go that uses PKCS#11, and it uses the
approach I describe above, keeping the PKCS#11 module loaded until end
of process:

More information about the openssh-unix-dev mailing list