OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens
Damien Miller
djm at mindrot.org
Wed Oct 8 15:32:50 AEDT 2025
On Tue, 7 Oct 2025, Joost van Dijk wrote:
> Hi,
>
> I noticed from the release notes that OpenSSH 10.1p1 now supports ed25519 keys hosted on PKCS#11 tokens. Nice!
>
> I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew using an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4).
> Although this works fine, I ran into an issue generating the corresponding SSH public key file.
>
> I am using Yubico’s PKCS#11 module (libykcs11, version 2.7.2 installed with yubico-piv-tool using homebrew), pointed to by $YKCS_P11.
> When I try to download the public keys from the token, it seems ssh-keygen doesn’t know about ed25519 keys yet:
>
> $ ssh-keygen -D $YKCS_P11 -vv
[...]
> skipping unsupported key type
This line tells me you're not actually running OpenSSH 10.1.
The current code prints the type number when it sees an unsupported key:
1473 error("skipping unsupported certificate type %lu",
1474 ck_cert_type);
You must be running an older version.
I just checked that ssh-keygen -D does work with a yk5 and ykcs11,
though I did notice that it crashes at exit. I'll commit a fix.
-d
More information about the openssh-unix-dev
mailing list