Skip to content

PKCS#11 modules not being loaded #101

Open
Open
PKCS#11 modules not being loaded#101

Description

@grawity
grawity
opened on Aug 19, 2025

OpenSSH's ssh-agent supports accessing keys from other hardware tokens through PKCS#11 modules, using ssh-add -s <path>. Currently ssh-tpm-agent doesn't pass through the load requests at all, although once the module has been loaded directly (by temporarily pointing ssh-add directly to the main ssh-agent socket), all regular operations work fine.

ssh-add -s <path> uses opcode 20 to load modules, while ssh-add -e <path> uses opcode 21 to unload them.

SoftHSM extra/softhsm can be used for testing.

  1. Init and populate token (otherwise ssh-agent itself will reject empty tokens):

    optional:
$ export SOFTHSM2_CONF=/tmp/softhsm2.conf
$ mkdir -p /tmp/softhsm2.data
$ echo 'directories.tokendir = /tmp/softhsm2.data' > $SOFTHSM2_CONF

$ softhsm2-util --init-token --free --label yay --so-pin yay1 --pin yay2
$ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \
     --login --pin yay2 --keypairgen --key-type EC:prime256v1 --label testkey

$ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \
     --login --pin yay2 --list-objects

  2. Testing:

    $ ssh-agent -d -a /tmp/plain.sock &
$ ssh-tpm-agent -d -A /tmp/plain.sock -l /tmp/tpm.sock

    $ export SOFTHSM2_CONF=/tmp/softhsm2.conf
$ export SSH_AUTH_SOCK=/tmp/tpm.sock
$ ssh-add -s /usr/lib/pkcs11/libsofthsm2.so
Enter passphrase for PKCS#11: yay2
Could not add card "/usr/lib/pkcs11/libsofthsm2.so": agent refused operation

Debug output from ssh-tpm-agent:

time=2025-08-19T15:02:52.248+03:00 level=INFO msg="agent 20: unknown opcode 20"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions