OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens

Joost van Dijk vandijk.joost at gmail.com
Fri Oct 10 21:23:42 AEDT 2025 


> On 10 Oct 2025, at 01:17, Damien Miller <djm at mindrot.org> wrote:
> 
> On Thu, 9 Oct 2025, Joost van Dijk wrote:
> 
>> 
>> 
>>> On 8 Oct 2025, at 23:39, Damien Miller <djm at mindrot.org> wrote:
>>> 
>>> On Wed, 8 Oct 2025, Joost van Dijk wrote:
>>> 
>>>> Apologies if I used the wrong version - I was convinced I used 10.1 installed using HomeBrew.
>>>> But I also compiled different versions from source, and now I cannot reproduce so I must have screwed up at some point.
>>>> 
>>>> But actually, I was struggling with some other issue involving the PIN that seems to have changed between 10.0 and 10.1.
>>> 
>>> Try this patch. You'll need to re-run configure (or at least
>>> config.status) and make
>>> 
>>> diff --git a/Makefile.in b/Makefile.in
>>> index 19a9e4dcf..ea38671f7 100644
>>> --- a/Makefile.in
>>> +++ b/Makefile.in
>>> @@ -157,7 +157,7 @@ SSHADD_OBJS=	ssh-add.o $(P11OBJS) $(SKOBJS)
>>> 
>>> SSHAGENT_OBJS=	ssh-agent.o $(P11OBJS) $(SKOBJS)
>>> 
>>> -SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
>>> +SSHKEYGEN_OBJS=	ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
>>> 
>>> SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
>>> 
>> 
>> After applying the patch:
>> 
>> $ git diff
>> diff --git a/Makefile.in b/Makefile.in
>> index 760fbaa5b..ba17a79f0 100644
>> --- a/Makefile.in
>> +++ b/Makefile.in
>> @@ -158,7 +158,7 @@ SSHADD_OBJS=        ssh-add.o $(P11OBJS) $(SKOBJS)
>> 
>> SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS)
>> 
>> -SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS)
>> +SSHKEYGEN_OBJS=        ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS)
>> 
>> SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
>> 
>> And running
>> 
>> $ ./configure --prefix $(pwd)/V_10_1_P1 --with-ssl-dir=/opt/homebrew/opt/openssl at 3
>> make install
>> 
>> I no longer get the ‘pin required’ message, and the attestation public key is output, as well as my ed25519 key.
>> However, it is followed by a segmentation fault:
> 
> Yes, this is the crash I mentioned. The fix was committed as 0118c30aca
> and will be in OpenSSH 10.2, which is about to be released.

Wonderful! Works as expected now.
Thanks!
-Joost

More information about the openssh-unix-dev mailing list