OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens

Joost van Dijk vandijk.joost at gmail.com
Thu Oct 9 19:36:14 AEDT 2025 


> On 8 Oct 2025, at 23:39, Damien Miller <djm at mindrot.org> wrote:
> 
> On Wed, 8 Oct 2025, Joost van Dijk wrote:
> 
>> Apologies if I used the wrong version - I was convinced I used 10.1 installed using HomeBrew.
>> But I also compiled different versions from source, and now I cannot reproduce so I must have screwed up at some point.
>> 
>> But actually, I was struggling with some other issue involving the PIN that seems to have changed between 10.0 and 10.1.
> 
> Try this patch. You'll need to re-run configure (or at least
> config.status) and make
> 
> diff --git a/Makefile.in b/Makefile.in
> index 19a9e4dcf..ea38671f7 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -157,7 +157,7 @@ SSHADD_OBJS=	ssh-add.o $(P11OBJS) $(SKOBJS)
> 
> SSHAGENT_OBJS=	ssh-agent.o $(P11OBJS) $(SKOBJS)
> 
> -SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
> +SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
> 
> SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
> 

After applying the patch:

$ git diff
diff --git a/Makefile.in b/Makefile.in
index 760fbaa5b..ba17a79f0 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -158,7 +158,7 @@ SSHADD_OBJS=        ssh-add.o $(P11OBJS) $(SKOBJS)
 
 SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS)
 
-SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
+SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
 
 SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
 
And running

$ ./configure --prefix $(pwd)/V_10_1_P1 --with-ssl-dir=/opt/homebrew/opt/openssl at 3
make install

I no longer get the ‘pin required’ message, and the attestation public key is output, as well as my ed25519 key.
However, it is followed by a segmentation fault:

$ V_10_1_P1/bin/ssh-keygen -D $YKCS_P11 
failed to fetch key
failed to fetch key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGaro7qWzlUwCeOoYj6TMjlQ4PB92sSPl8MFcjpdiin Public key for PIV Authentication
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation
Segmentation fault: 11


You wrote:

> I just checked that ssh-keygen -D does work with a yk5 and ykcs11,
> though I did notice that it crashes at exit. I'll commit a fix.


Do I understand correctly that the patch intends to solve the “pin required” issue (which it does), and not the crash?

In case it helps: reconfiguring and recompiling with CFLAGS="-g”, I get:

$ lldb ./ssh-keygen 
(lldb) target create "./ssh-keygen"
Current executable set to '/tmp/openssh-portable/ssh-keygen' (arm64).
(lldb) run -D /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib -vv
Process 25300 launched: '/tmp/openssh-portable/ssh-keygen' (arm64)
debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72
debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: label <YubiKey PIV #NNNNNNNN> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial < NNNNNNNN > flags 0x40d
debug1: pkcs11_record_key: RSA key: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19
debug2: pkcs11_fetch_keys: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk
debug1: have 1 keys
debug1: pkcs11_record_key: RSA key: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19
debug1: pkcs11_record_key: Already seen this key at provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19
failed to fetch key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation
debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2
Process 25300 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4)
    frame #0: 0x00000001000141b0 ssh-keygen`pkcs11_provider_unref(p=0x0000000000000004) at ssh-pkcs11.c:140:2
   137 	static void
   138 	pkcs11_provider_unref(struct pkcs11_provider *p)
   139 	{
-> 140 		debug_f("provider \"%s\" refcount %d", p->name, p->refcount);
   141 		if (--p->refcount <= 0) {
   142 			if (p->valid)
   143 				error_f("provider \"%s\" still valid", p->name);
Target 0: (ssh-keygen) stopped.


Thank you for your efforts to get this sorted out!
—
Joost

More information about the openssh-unix-dev mailing list