On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > I think the problem here is that the -D switch is not smartcards aware. > PKCS#11 modules should be removed using -e switch, which works fine to > my testing. Aha, thanks for pointing this flag out to me. I had missed it. Indeed, `ssh-add -e` does fix this issue for me on the latest release (though on the release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails). I realized there's a similar problem with the `-d` flag: If you delete an identity backed by a PKCS#11 device, it will remove the identity and report success but not remove the provider. Is it desirable in the future to have multiple identities offered by the same provider? For instance, multiple instances of the same smartcard reader? If so, we would need to have some facility to keep track of already-loaded providers and reuse them, as well as do reference counting for removed identities. That's why I was suggesting it would be more straightforward to never unload providers (or in other words, require a restart of ssh-agent if user requires that provider to be non-resident, which I think is quite rare). FWIW, I maintain a signing library in Go that uses PKCS#11, and it uses the approach I describe above, keeping the PKCS#11 module loaded until end of process: https://github.com/letsencrypt/pkcs11key/blob/master/key.go#L113. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
