Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
Jacob Hoffman-Andrews
jsha at letsencrypt.org
Wed Feb 26 10:13:44 AEDT 2020
On Tue, Feb 25, 2020 at 1:09 AM Jakub Jelen <jjelen at redhat.com> wrote:
> Thank you for pointing that. It is certainly something that should be
> fixed. Can you open a new bug in so it will not get lost:
Done, thanks. https://bugzilla.mindrot.org/show_bug.cgi?id=3125
> Never unloading pkcs11 modules can have unexpected results for users of
> for example long running ssh-agents and updates -- if you update pkcs11
> module, you expect that if you remove it and add it back, it will load
> the new one.
This is a good point. The same is true of updates to ssh-agent itself, though.
Are updates to pkcs11 modules more frequent, or more urgent, than
updates to ssh-agent?
An idea:
- ssh-add retains its ability to explicitly unload providers via `-e`
- ssh-agent stops treating it as an error to request loading of the same
provider twice.
I believe this would fix the `-D` and `-d` use cases. Is there a reason that
ssh-agent should treat a second load request for the same provider as an
error?
More information about the openssh-unix-dev
mailing list