Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

Jakub Jelen jjelen at
Tue Feb 25 20:09:04 AEDT 2020

On Mon, 2020-02-24 at 12:41 -0800, Jacob Hoffman-Andrews wrote:
> On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen at>
> wrote:
> > I think the problem here is that the -D switch is not smartcards
> > aware.
> > PKCS#11 modules should be removed using -e switch, which works fine
> > to
> > my testing.
> Aha, thanks for pointing this flag out to me. I had missed it.
> Indeed,
> `ssh-add -e` does fix this issue for me on the latest release (though
> on the
> release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails).
> I realized there's a similar problem with the `-d` flag: If you
> delete
> an identity
> backed by a PKCS#11 device, it will remove the identity and report
> success
> but not remove the provider.

Thank you for pointing that. It is certainly something that should be
fixed. Can you open a new bug in so it will not get lost:

Hopefully I will be able to look in to it in coming weeks.

> Is it desirable in the future to have multiple identities offered by
> the same
> provider? For instance, multiple instances of the same smartcard
> reader?
> If so, we would need to have some facility to keep track of already-
> loaded
> providers and reuse them, as well as do reference counting for
> removed
> identities. That's why I was suggesting it would be more
> straightforward
> to never unload providers (or in other words, require a restart of
> ssh-agent
> if user requires that provider to be non-resident, which I think is
> quite rare).
> FWIW, I maintain a signing library in Go that uses PKCS#11, and it
> uses the
> approach I describe above, keeping the PKCS#11 module loaded until
> end
> of process:

Never unloading pkcs11 modules can have unexpected results for users of
for example long running ssh-agents and updates -- if you update pkcs11
module, you expect that if you remove it and add it back, it will load
the new one.

I implemented a way of adding different keys from single or different
pkcs11 modules using PKCS #11 URIs, which is in use in Fedora:

Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list