Addition of pkcs11 provider triggers ssh break: PRNG is not seeded
Graham Leggett
minfrin at sharp.fm
Wed Nov 5 22:51:04 AEDT 2025
Hi all,
I had a sudden case of ssh failing as follows:
Little-Net-8818:~ minfrin$ ssh --version
PRNG is not seeded
The trigger was adding the following pkcs11 provider configuration to openssl:
Little-Net-8818:~ minfrin$ cat /opt/local/etc/openssl/openssl.cnf.d/pkcs11.conf
[provider_sect]
pkcs11 = pkcs11_sect
[pkcs11_sect]
module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
#pkcs11-module-token-pin = /etc/ssl/pinfile.txt
activate = 1
The workaround was removing the pkcs11 provider config above.
Am I right in understanding this is an error handling problem? Ideally we should get the reason why the PRNG is not seeded, rather than just the statement.
Also, it seems weird that crypto is being set up (which then fails) before --version is processed.
Is there something more than this going on, why would openssl work fine when a pkcs11 provider is present but ssh not, is this a known issue or should I go off and dig some more?
Regards,
Graham
--
More information about the openssh-unix-dev
mailing list