Note I'm no maintainer here, just someone on the list. Jacob Hoffman-Andrews wrote: > I think the best fix here is to treat "provider already exists" as a > non-error. This seems logically OK to me. > There is no need to unload providers when they become unused I disagree with this for reasons already mentioned, and > because it is uncommon to have more than one provider on any given system. It may be uncommon, but that is no reason to make it impossible! > Also, a user is likely to reuse a provider they have previously used. Disagree again - consider an interactive session, where a user logs in, performs a system update of either ssh-agent, p11, or both, and then wants to use the newer versions. The scope of the ssh-agent is the user's session. The scope of the p11 is the loaded provider in the agent. It's simply ugly to force the user to restart the agent process if she really only wants to replace the p11. Jacob Hoffman-Andrews wrote: > Indeed, `ssh-add -e` does fix this issue for me on the latest release > > I realized there's a similar problem with the `-d` flag: If you delete > an identity backed by a PKCS#11 device, it will remove the identity > and report success but not remove the provider. Intuitively I would expect -d (and -D) to remove the provider when the last key from that provider is removed. > Is it desirable in the future to have multiple identities offered by the > same provider? I for one would like that to work. > For instance, multiple instances of the same smartcard reader? Sure. Or a device making more than one key available through the same interface, thus controlled by one (and only one) provider. > If so, we would need to have some facility to keep track of already-loaded > providers and reuse them, as well as do reference counting for removed > identities. I think this would make sense. > That's why I was suggesting it would be more straightforward > to never unload providers (or in other words, require a restart of > ssh-agent if user requires that provider to be non-resident, Again, I disagree strongly with forcing this onto us users. Consider a system where an agent also has many other, unrelated keys. It would be really painful and annoying to ditch all that other setup just because some p11 provider needs to be reloaded. Windows does still get away with requiring a reboot now and then, but let's not copy that pattern if we can avoid it in any way. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev