libykcs11.dll doesn't work on Windows OpenSSH
C0D3-M4513R opened this issue · 6 comments
C0D3-M4513R commented
PS C:\Windows\System32\WindowsPowerShell\v1.0> ssh-agent -d
agent_start pid:12060, dbg:1
client pid 17564 connected
agent_process_connection pipe:0000000000000188
debug1: get_con_client_info: sshagent_con_username: restricted
debug1: client type: restricted user
debug1: process agent request type 20
debug1: find_helper: using "C:\\Program Files\\OpenSSH\\ssh-pkcs11-helper.exe" as helper
process_add_smartcard_key: failed to add key to store. count:-1
debug1: iocp error: 109 on 0000028780BD6500
debug1: connection 0000028780BD6500 clean up
debug1: iocp error: 6 on 0000000000000000
PS C:\Users\xxx> ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" -vvv
Enter passphrase for PKCS#11:
Could not add card "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll": agent refused operation
PS C:\Users\xxx> ssh sn
dlopen C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll failed: The specified module could not be found.
PS C:\Users\XXX> ssh -V
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
a-dma commented
I don't know if OpenSSH for Windows behaves differently, but ssh-agent blocks PKCS#11 and FIDO providers that are not in some pre-determined paths. You can specify additional allowed paths at runtime by passing -P to ssh-agent. Could you try adding that?
If that's still not enough, then please turn on debugging in ykcs11 by setting the environment variable YKCS11_DBG=9 and paste the resulting output. Keep in mind that depending on the operations, user PINs will be logged.