OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens

Damien Miller djm at mindrot.org
Fri Oct 10 10:17:57 AEDT 2025 

On Thu, 9 Oct 2025, Joost van Dijk wrote:

> 
> 
> > On 8 Oct 2025, at 23:39, Damien Miller <djm at mindrot.org> wrote:
> > 
> > On Wed, 8 Oct 2025, Joost van Dijk wrote:
> > 
> >> Apologies if I used the wrong version - I was convinced I used 10.1 installed using HomeBrew.
> >> But I also compiled different versions from source, and now I cannot reproduce so I must have screwed up at some point.
> >> 
> >> But actually, I was struggling with some other issue involving the PIN that seems to have changed between 10.0 and 10.1.
> > 
> > Try this patch. You'll need to re-run configure (or at least
> > config.status) and make
> > 
> > diff --git a/Makefile.in b/Makefile.in
> > index 19a9e4dcf..ea38671f7 100644
> > --- a/Makefile.in
> > +++ b/Makefile.in
> > @@ -157,7 +157,7 @@ SSHADD_OBJS=	ssh-add.o $(P11OBJS) $(SKOBJS)
> > 
> > SSHAGENT_OBJS=	ssh-agent.o $(P11OBJS) $(SKOBJS)
> > 
> > -SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
> > +SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
> > 
> > SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
> > 
> 
> After applying the patch:
> 
> $ git diff
> diff --git a/Makefile.in b/Makefile.in
> index 760fbaa5b..ba17a79f0 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -158,7 +158,7 @@ SSHADD_OBJS=        ssh-add.o $(P11OBJS) $(SKOBJS)
>  
>  SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS)
>  
> -SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
> +SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
>  
>  SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
>  
> And running
> 
> $ ./configure --prefix $(pwd)/V_10_1_P1 --with-ssl-dir=/opt/homebrew/opt/openssl at 3
> make install
> 
> I no longer get the ‘pin required’ message, and the attestation public key is output, as well as my ed25519 key.
> However, it is followed by a segmentation fault:

Yes, this is the crash I mentioned. The fix was committed as 0118c30aca
and will be in OpenSSH 10.2, which is about to be released.

More information about the openssh-unix-dev mailing list