Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

Jacob Hoffman-Andrews jsha at
Wed Feb 26 10:13:44 AEDT 2020

On Tue, Feb 25, 2020 at 1:09 AM Jakub Jelen <jjelen at> wrote:
> Thank you for pointing that. It is certainly something that should be
> fixed. Can you open a new bug in so it will not get lost:

Done, thanks.

> Never unloading pkcs11 modules can have unexpected results for users of
> for example long running ssh-agents and updates -- if you update pkcs11
> module, you expect that if you remove it and add it back, it will load
> the new one.

This is a good point. The same is true of updates to ssh-agent itself, though.
Are updates to pkcs11 modules more frequent, or more urgent, than
updates to ssh-agent?

An idea:

 - ssh-add retains its ability to explicitly unload providers via `-e`
 - ssh-agent stops treating it as an error to request loading of the same
  provider twice.

I believe this would fix the `-D` and `-d` use cases. Is there a reason that
ssh-agent should treat a second load request for the same provider as an

More information about the openssh-unix-dev mailing list