PKCS#11 modules not being loaded

[grawity]

OpenSSH's ssh-agent supports accessing keys from other hardware tokens through PKCS#11 modules, using ssh-add -s <path>. Currently ssh-tpm-agent doesn't pass through the load requests at all, although once the module has been loaded directly (by temporarily pointing ssh-add directly to the main ssh-agent socket), all regular operations work fine.

ssh-add -s <path> uses opcode 20 to load modules, while ssh-add -e <path> uses opcode 21 to unload them.

SoftHSM extra/softhsm can be used for testing.

1. Init and populate token (otherwise ssh-agent itself will reject empty tokens):

   optional:
   $ export SOFTHSM2_CONF=/tmp/softhsm2.conf
   $ mkdir -p /tmp/softhsm2.data
   $ echo 'directories.tokendir = /tmp/softhsm2.data' > $SOFTHSM2_CONF
   
   $ softhsm2-util --init-token --free --label yay --so-pin yay1 --pin yay2
   $ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \
        --login --pin yay2 --keypairgen --key-type EC:prime256v1 --label testkey
   
   $ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \
        --login --pin yay2 --list-objects
   

2. Testing:

   $ ssh-agent -d -a /tmp/plain.sock &
   $ ssh-tpm-agent -d -A /tmp/plain.sock -l /tmp/tpm.sock
   

   $ export SOFTHSM2_CONF=/tmp/softhsm2.conf
   $ export SSH_AUTH_SOCK=/tmp/tpm.sock
   $ ssh-add -s /usr/lib/pkcs11/libsofthsm2.so
   Enter passphrase for PKCS#11: yay2
   Could not add card "/usr/lib/pkcs11/libsofthsm2.so": agent refused operation
   

Debug output from ssh-tpm-agent:

time=2025-08-19T15:02:52.248+03:00 level=INFO msg="agent 20: unknown opcode 20"

[Foxboron]

Seems like the Golang agent implementation ignores this.

https://github.com/golang/crypto/blob/44ecf3af9978b32529ce689a6964bd557c79aa1c/ssh/agent/server.go#L76

So gotta patch upstream I think? Can see if I can submit a patch or work around this.

[grawity]

Thanks. For now I can generally just do SSH_AUTH_SOCK=... ssh-add as a workaround, if I ever reboot.