Currently, there is no way for users to disable use of PKCS11Provider if it is set in the system-wide configuration file. This can create problems when attempting to connect to a system that does not trust the keys from the smartcard and the card offers too many keys. Adding support for PKCS11Provider=none would alleviate this issue. The problem scenario is as follows: 1) Unconditional use of PKCS11Provider is enabled in the system-wide ssh_config file. 2) A smartcard with multiple keys is left in the reader. 3) A user attempts to ssh to a system that does not trust any of the keys provided by the smartcard. Under these circumstances, the ssh attempt may fail due to too many authentication failures. A similar problem can occur when a user leaves the smartcard in the reader and cronjobs running as a differnt user (such as root) attemtp to use ssh to transfer files etc. Supporting setting PKCS11Provider to "none" would provide a simple way to avoid these problems. An alternative approach would be to provide some means to specify the slot to use from the smartcard, and thus reduce the number of keys offered.
Created attachment 3247 [details] proposed patch I attached the proposed patch, that address also few issues around that I noticed while checking this option: * The manual page did not list the ECDSA keys that got supported recently * The -G option was dumping the undocumented option smartcarddevice instead of pkcs11provider
hah, I just committed a basically identical patch for readconf.c. I'll commit Jakub's manual fix too
I ended up committing a slightly larger rewording of the PKCS11Provider directive. Thanks for the report and patch
closing resolved bugs as of 8.6p1 release