IdentitiesOnly and PKCS

Damien Miller djm at
Fri Dec 3 14:46:30 AEDT 2021

On Tue, 30 Nov 2021, Dirk-Willem van Gulik wrote:

> Is it just me - or does, since version 3.0.7, IdentitiesOnly no longer include PKCS#11 keys ?
> With IdentitiesOnly set to yes - I see them getting picked up:
> 	debug2: pkcs11_fetch_keys: provider /Library/OpenSC/lib/ slot 0: RSA SHA256:etcetc
> 	debug1: have 2 keys
> but not being offered. With IdentitiesOnly set to no (or without; the default) - they get offered.
> Is that intentional ? Or what is the thinking behind this ?

Yes, intentional. This changed in OpenSSH 6.2, almost 9 years ago :)

> commit cb6b68b209d8868a94a30b1a634beb1a65cb5265
> Author: Damien Miller <djm at>
> Date:   Mon Dec 3 09:49:52 2012 +1100
>        - djm at 2012/12/02 20:26:11
>          [ssh_config.5 sshconnect2.c]
>          Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
>          This allows control of which keys are offered from tokens using
>          IdentityFile. ok markus@

The behaviour changed to fix a bug: IdentitiesOnly was not being applied
to PKCS#11 hosted keys, making it impossible to control which ones were
being offered to a server.

Since the change, you are able to filter PKCS#11 keys using IdentityFile
directives. To do this, you need to specify the public key rather than
the private. The same thing works for keys held in ssh-agent.


More information about the openssh-unix-dev mailing list