Created attachment 2946 [details] proposed patch Since the whitelisting of the PKCS#11 modules in ssh-agent, adding a PKCS#11 module, that is symlink to another file (as common in Fedora/RHEL) we are unable to remove the module with the same path: /usr/lib64/pkcs11/opensc-pkcs11.so -> ../opensc-pkcs11.so The ssh-agent says: $ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib64/pkcs11/opensc-pkcs11.so $ ssh-add -e /usr/lib64/opensc-pkcs11.so Could not remove card "/usr/lib64/opensc-pkcs11.so": agent refused operation From the ssh-agent log we can see: process_remove_smartcard_key: pkcs11_del_provider failed the problem is the call to the realpath(3), which resolves the symlinks and passes to the pkcs11-code already target of that symlink. I understand that it is needed for the whitelist to be effective, but it is getting confusing that one input is sanitized, the second not and they are compared with each other (in pkcs11_provider_lookup()). We should probably add the realpath call to the remove routine too to make it more user-friendly. Proposed patch is also adding some more debug information.
Comment on attachment 2946 [details] proposed patch looks ok to me
Applied - this will be in OpenSSH 7.5, due next week.
closing resolved bugs as of 8.6p1 release