ssh-add -s fails

[jmyreen]

"OpenSSH for Windows" version 8.1.0.0

Client OperatingSystem Windows 10 Enterprise

What is failing ssh-add -s 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'

Using the -s "Add keys from PKCS#11 provider", i.e. using ssh-agent with smart cards does not work.

Expected output

Identity added ...

Actual output

Enter passphrase for PKCS#11: Could not add card "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll": communication with agent failed

ssh-add is able to communicate with the agent. ssh-add without any options adds the default .ssh/id_rsa file, ssh-add -l is able to list it. ssh-add -s PKCS#11 does not work, although it does prompt for a PIN, so it obviously recognizes the -s option.

FWIW, ssh.exe is able to use a smart card with the option -I 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', it's just ssh-agent that is failing.

[NoMoreFood]

Known issue. Somebody has a pull request in for it: https://github.com/PowerShell/openssh-portable/pull/362

[jmyreen]

I missed this when I looked for duplicates.

Could this be merged into version 8.1 before the final release. The patch is already 14 months old and support for ssh-add -s is part of the feature set of OpenSSH v 8, and many versions before that.

[bannsec]

2024 and i'm getting the exact same issue.

OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3

[kayavila]

Although this should be fixed (per https://github.com/PowerShell/openssh-portable/pull/537), this continues to be a problem for me as well. I tested using the executables provided in the .zip file on OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2. (Since per https://github.com/PowerShell/Win32-OpenSSH/issues/1914, the privilege issue for installing may or may not be fixed on the 64-bit version.)

[minfrin]

Confirmed as a problem for me as well in 2024, Windows 10 LTSC.

[yan4321]

@bannsec , @kayavila , @minfrin , I just re-tested this using both 32 and 64-bit binaries of the latest release (v9.5.0.0p1-Beta) and all smartcard functionality seems to be working well. This also has been reported to be working by others in the past (1, 2, 3, 4).

A few things I would recommend for troubleshooting:

• A good way to tell if the issue is with your setup or sequence of operations is to test the smartcard functionality with SoftHSM according to the steps documented here. Does it work for you with SoftHSM?
• If it works with SoftHSM then the next step would be to test with your actual smartcard hardware. If you are using a Yubikey you can use these steps to test. For any other type of smartcard follow the steps and replace with your smartcard dedicated tooling when applicable (generating keys on the hardware/etc).
• Make sure you aren't loading the smartcard library (opensc/etc) when there aren't any keys generated on the smartcard beforehand. ssh-add -s will refuse this and that is expected.
• Make sure that the smartcard library (opensc/etc) dll binary matches the "bitness" of the ssh-agent binary. e.g. , if the running ssh-agent is a 64-bit binary then the smartcard library to be loaded needs to also be a 64-bit binary.
• Which smartcard library are you using (OpenSC?) and does it support your smartcard hardware?

[bwachter]

I'd also add "check path" to your troubleshooting list. Typically you'd have the ssh/ssh-add shipped with Windows in the path before the separately installed ones - and those will not work. Also, make sure the correct ssh agent is started (the service should update automatically to the new path).

[minfrin]

Testing v9.5.0.0p1-Beta ssh-add -s [path-to-opensc] works.

When an attempt is made to connect with missing smartcard, I get "agent refused operation" rather than a sensible error message, but I suspect that is an openssh bug.