Bug 3444 - Improve PKCS#11 support
Summary: Improve PKCS#11 support
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-agent (show other bugs)
Version: 8.7p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-06 19:21 AEST by Dmitry Belyavskiy
Modified: 2022-06-07 00:18 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Belyavskiy 2022-06-06 19:21:34 AEST 
When you physically remove and re-insert your smartcard, you must re-initialize your ssh-agent with:

ssh-add -e /usr/lib64/opensc-pkcs11.so
ssh-add -s /usr/lib64/opensc-pkcs11.so

It would be nice to be able to just ask it to prompt for your PIN again to reload access to the keys.

Or better yet, when trying to connect, instead of:

# ssh host
sign_and_send_pubkey: signing failed: agent refused operation

it could prompt for the PIN.

See more details in https://bugzilla.redhat.com/show_bug.cgi?id=1609055

See a proposed patch in https://bugzilla.mindrot.org/show_bug.cgi?id=2890