GNOME Bugzilla – Bug 772366
support for keys provided by pkcs11 libraries in ssh agent
Last modified: 2018-03-09 15:36:32 UTC
The `ssh-add` utility has flags -s/-e to add/remove keys provided by PKCS#11 libraries to ssh-agent, here is log of `ssh-add` commands used with standard `ssh-agent`: reddot@docorp:~$ ssh-add -e /usr/lib/libeTPkcs11.so Card removed: /usr/lib/libeTPkcs11.so reddot@docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/libeTPkcs11.so reddot@docorp:~$ ssh-add -l 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) Unfortunately ssh agent interface provided by gnome-keyring daemon refuses such requests: reddot@docorp:~$ SSH_AUTH_SOCK=/run/user/1000/keyring/ssh ssh-add -e /usr/lib/libeTPkcs11.so Could not remove card "/usr/lib/libeTPkcs11.so": agent refused operation reddot@docorp:~$ SSH_AUTH_SOCK=/run/user/1000/keyring/ssh ssh-add -s /usr/lib/libeTPkcs11.so Enter passphrase for PKCS#11: Could not add card "/usr/lib/libeTPkcs11.so": agent refused operation
gnome-keyring should just wrap stock ssh-agent to solve this problem.
https://bugzilla.gnome.org/show_bug.cgi?id=775981