You are not logged in.
Hey,
I use my Yubikey for ssh authentication (CCID/pkcs11). It stopped recently and I don't know why...
In the past, I used `ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so`.
It seems like this changed to `ssh -I /usr/lib/libykcs11.so` (https://developers.yubico.com/PIV/Guide … KCS11.html).
Both does not work for me.
1) Get public ssh key from Yubikey
kmille@spring:~# ssh-keygen -D /usr/lib/libykcs11.so -e
failed to fetch key
failed to fetch key
failed to fetch key
ssh-rsa ...valid ssh key.... Public key for PIV Authentication
ssh-rsa ... valid ssh key... Public key for PIV Attestation
kmille@spring:~# ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so -e
failed to fetch key
ssh-rsa ...same key from above... PIV AUTH pubkey
So it works, but there is still this "failed to fetch key" warning...
2) Authenticate
kmille@spring:~# ssh -I /usr/lib/libykcs11.so server
server: Permission denied (publickey).
With debug log:
debug1: pkcs11_start_helper: starting /usr/lib/ssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/libykcs11.so
debug1: provider /usr/lib/libykcs11.so: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72
debug1: provider /usr/lib/libykcs11.so slot 0: label <YubiKey PIV #1234> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <1234> flags 0x40d
pin required
debug1: pkcs11_provider_finalize: provider "/usr/lib/libykcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/usr/lib/libykcs11.so" refcount 1
debug1: pkcs11_add_provider: provider /usr/lib/libykcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
`journalctl -f` shows
Oct 22 19:06:12 spring ssh-pkcs11-helper[2110]: error: pin required
`/usr/lib/ssh/ssh-pkcs11-helper` is written in C and is part of the openssh package. I had a quick look, but `ssh-pkcs11-helper.c` does not contain the string "pin required".
I get the same result when using `ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so server -v`.
I'm glad for any help. Thanks!
UPDATE:. It still works when I boot into a Linux Mint:
```
ssh version: 1:9.6p1-3ubuntu13.14
opensc version: 0.25.0~rc1-1build2 opensc
```
I'm using Linux hardened. Could this be the problem?
Last edited by kmille (2025-10-22 17:45:53)
Offline
I've run into a similar "pin required" issue followed by a failure to auth and no pin prompt when authenticating with a smartcard via opensc, and have temporarily resolved it by downgrading ssh to 10.0p1
Also, for what it's worth, I'm using linux-hardened as well.
Offline
Same issue. Using normal kernel, so should not be caused by the hardened kernel
Offline
The is a bug report for ssh, https://gitlab.archlinux.org/archlinux/ … /issues/23. Downgrading openssh to version 10.0p1-6 works for me.
Offline
please use BB code tag - this forum does not support markdown
[code]
your stuff here
[/code]one can use ssh-agent
[main@main ~]$ ssh-add -s /usr/lib/libykcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/libykcs11.so
[main@main ~]$ ssh-add -L
ssh-rsa [pub key] Public key for PIV Authentication
ssh-rsa [pub key] Public key for Digital Signature
ssh-rsa [pub key] Public key for Key Management
ssh-rsa [pub key] Public key for Card Authentication
ssh-rsa [key] Public key for PIV Attestation
[main@main ~]$ ssh -vT git@github.com
debug1: OpenSSH_10.2p1, OpenSSL 3.6.0 1 Oct 2025
debug1: Reading configuration data /home/main/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Reading configuration data /etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: no pubkey loaded from /home/main/.ssh/id_rsa
debug1: identity file /home/main/.ssh/id_rsa type -1
debug1: no identity pubkey loaded from /home/main/.ssh/id_rsa
debug1: no pubkey loaded from /home/main/.ssh/id_ecdsa
debug1: identity file /home/main/.ssh/id_ecdsa type -1
debug1: no identity pubkey loaded from /home/main/.ssh/id_ecdsa
debug1: no pubkey loaded from /home/main/.ssh/id_ecdsa_sk
debug1: identity file /home/main/.ssh/id_ecdsa_sk type -1
debug1: no identity pubkey loaded from /home/main/.ssh/id_ecdsa_sk
debug1: no pubkey loaded from /home/main/.ssh/id_ed25519
debug1: identity file /home/main/.ssh/id_ed25519 type -1
debug1: no identity pubkey loaded from /home/main/.ssh/id_ed25519
debug1: no pubkey loaded from /home/main/.ssh/id_ed25519_sk
debug1: identity file /home/main/.ssh/id_ed25519_sk type -1
debug1: no identity pubkey loaded from /home/main/.ssh/id_ed25519_sk
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version 85ba476
debug1: compat_banner: no match: 85ba476
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/main/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /home/main/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/main/.ssh/known_hosts2 does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host 'github.com (140.82.121.4)' can't be established.
ED25519 key fingerprint is: SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 5 keys
debug1: Will attempt key: Public key for PIV Authentication RSA SHA256:sPH0skdSi/zSPA7CeK+e9NG+aFt7Au+rx4A9r5Y32p0 agent
debug1: Will attempt key: Public key for Digital Signature RSA SHA256:qhYtvYXqBeNIn4jRYELVngkIdCj5K/AtSXoQrvby8jM agent
debug1: Will attempt key: Public key for Key Management RSA SHA256:DXtgNrQL/pOhMpmh4hkFb/tSe4dKNhss6w4t0dDfnoU agent
debug1: Will attempt key: Public key for Card Authentication RSA SHA256:TkiRI/PguEqwe6T12e52qwaW9027xog8YnV+17eLtl8 agent
debug1: Will attempt key: Public key for PIV Attestation RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk agent
debug1: Will attempt key: /home/main/.ssh/id_rsa
debug1: Will attempt key: /home/main/.ssh/id_ecdsa
debug1: Will attempt key: /home/main/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/main/.ssh/id_ed25519
debug1: Will attempt key: /home/main/.ssh/id_ed25519_sk
debug1: Offering public key: Public key for PIV Authentication RSA SHA256:sPH0skdSi/zSPA7CeK+e9NG+aFt7Au+rx4A9r5Y32p0 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Public key for Digital Signature RSA SHA256:qhYtvYXqBeNIn4jRYELVngkIdCj5K/AtSXoQrvby8jM agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Public key for Key Management RSA SHA256:DXtgNrQL/pOhMpmh4hkFb/tSe4dKNhss6w4t0dDfnoU agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Public key for Card Authentication RSA SHA256:TkiRI/PguEqwe6T12e52qwaW9027xog8YnV+17eLtl8 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Public key for PIV Attestation RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk agent
debug1: Server accepts key: Public key for PIV Attestation RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk agent
sign_and_send_pubkey: signing failed for RSA "Public key for PIV Attestation" from agent: agent refused operation
debug1: Trying private key: /home/main/.ssh/id_rsa
debug1: Trying private key: /home/main/.ssh/id_ecdsa
debug1: Trying private key: /home/main/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/main/.ssh/id_ed25519
debug1: Trying private key: /home/main/.ssh/id_ed25519_sk
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
[main@main ~]$this asks for the pin once when loading - but be aware: depending on your timeout (default is 15 seconds) this might have to be repeated as ssh-agent also doesn't know how to interactively re-ask for the pin when the timeout runs up
also: no matter if you have set touch-policy when generating the keys - that's comletely skipped not just be pcscd but by yubico own lib as well
Online
Fixed in openssh-10.2p1-2 (https://gitlab.archlinux.org/archlinux/ … 0fc5e7f9fa)
Offline