OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens
Damien Miller
djm at mindrot.org
Wed Oct 8 15:58:05 AEDT 2025
On Wed, 8 Oct 2025, Damien Miller wrote:
> On Tue, 7 Oct 2025, Joost van Dijk wrote:
>
> > Hi,
> >
> > I noticed from the release notes that OpenSSH 10.1p1 now supports ed25519 keys hosted on PKCS#11 tokens. Nice!
> >
> > I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew using an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4).
> > Although this works fine, I ran into an issue generating the corresponding SSH public key file.
> >
> > I am using Yubico’s PKCS#11 module (libykcs11, version 2.7.2 installed with yubico-piv-tool using homebrew), pointed to by $YKCS_P11.
> > When I try to download the public keys from the token, it seems ssh-keygen doesn’t know about ed25519 keys yet:
> >
> > $ ssh-keygen -D $YKCS_P11 -vv
> [...]
> > skipping unsupported key type
>
> This line tells me you're not actually running OpenSSH 10.1.
>
> The current code prints the type number when it sees an unsupported key:
>
> 1473 error("skipping unsupported certificate type %lu",
> 1474 ck_cert_type);
sorry, those are the wrong lines. The correct ones are:
1588 error("skipping unsupported key type 0x%lx",
1589 (u_long)ck_key_type);
but the point stands :)
More information about the openssh-unix-dev
mailing list