yubico-piv-tool icon indicating copy to clipboard operation
yubico-piv-tool copied to clipboard

Published 20 hours ago verified publisher icon Yubico

libykcs11 fails to load key into Windows 11 native ssh-agent

Open jplejacq-quoininc-com opened this issue 10 months ago • 11 comments

OS: Windows 11 Pro 24H2 openssh: OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 (native package that is part of Windows) libykcs11: Yubico.Piv-Tool 2.5.1 opensc-pkcs11.dll: OpenSC.OpenSC 0.23.0.0

If I follow the instructions provided by Yubico [1] or the substantially better instructions provided by [2], I always get the following error:

> ssh-add -v -v -v -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
Enter passphrase for PKCS#11:
Could not add card "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll": agent refused operation

The Window event log show two messages:

ssh-pkcs11-helper: error: dlopen C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll failed: The specified module could not be found.
ssh-agent: error: process_add_smartcard_key: failed to add key to store. count:-1

I tried numerous variations on forward/backward slashes for directory separators. I always get the same result. The path is correct as well as the permissions.

The Windows native ssh works fine with libykcs11.dll, it's only ssh-add that fails.

ssh-add works fine with OpenSC library, opensc-pkcs11.dll.

[1] https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client [2] https://gist.github.com/daemonhorn/a6af1b76457b2c10b8058d0a2c919bc3

jplejacq-quoininc-com avatar Jan 08 '25 19:01 jplejacq-quoininc-com

I get the same output / error as you with an invalid path to libykcs11.dll.

My guess is that you have installed the x86 32 bit version of yubico-piv-tool. If not, the dll is probably installed somewhere non-standard

wampum avatar Jan 13 '25 13:01 wampum

On 2025-01-13 08:30, wampum wrote:

I get the same output / error as you with an invalid path to libykcs11.dll.

My guess is that you have installed the x86 32 bit version of yubico- piv-tool. If not, the dll is probably installed somewhere non-standard

— Reply to this email directly, view it on GitHub <https://github.com/ Yubico/yubico-piv-tool/issues/527#issuecomment-2587111913>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/

Thanks for taking a look at this.

I installed the yubico-piv-tool using winget and used the default location for all files. The dll is indeed in the correct place and it works fine for PIV operations in browsers. I installed the latest version, 2.5.1.

C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll

I also confirmed it is the 64 bit version.

-- JP

jplejacq-quoininc-com avatar Jan 13 '25 14:01 jplejacq-quoininc-com

I hit the same problem. The fix for me was to put C:\Program Files\Yubico\Yubico PIV Tool\bin on the System Path, not the User Path. It also needs to be ahead of %SYSTEMROOT%\System32\OpenSSH\ on the System Path.

Restart the OpenSSH Authentication Agent service after updating the System Path.

ian-harwood avatar Jan 15 '25 15:01 ian-harwood

The YKCS11 module has dependency on libykpiv and libcrypto, so they both need to be in PATH for the YKCS11 to work. The easiest solution is the one @ian-harwood wrote.

aveenismail avatar Jan 15 '25 16:01 aveenismail

On 2025-01-15 11:26, Aveen Ismail wrote:

The YKCS11 module has dependency on libykpiv and libcrypto, so they both need to be in PATH for the YKCS11 to work. The easiest solution is the one @ian-harwood https://github.com/ian-harwood wrote.

Still fails for me.

I have libykpiv in the system environment path. I'm not sure which libcrypto you are referring to but i have at least the Windows libcrypto.dll in the path.

Here is my Path, formatted to be a little easier to read.

$env:Path C:\Program Files\PowerShell\7; C:\Program Files\FireDaemon OpenSSL 3\bin; C:\WINDOWS\system32; C:\WINDOWS;C:\WINDOWS\System32\Wbem; C:\Program Files\PowerShell\7; C:\WINDOWS\System32\WindowsPowerShell\v1.0; C:\Program Files\FireDaemon OpenSSL 3\bin; C:\Program Files\Yubico\Yubico PIV Tool\bin; C:\Program Files\OpenSC Project\OpenSC\pkcs11; C:\Program Files\Yubico\YubiKey Manager CLI; C:\WINDOWS\System32\OpenSSH; C:\Program Files\WinGet\Links; C:\Program Files (x86)\Gpg4win..\GnuPG\bin; C:\Program Files\PowerShell\7; C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;

-- JP

jplejacq-quoininc-com avatar Jan 15 '25 17:01 jplejacq-quoininc-com

I see two occurrences of C:\Program Files\FireDaemon OpenSSL 3\bin before the Yubico PIV Tool path in the output of $env:Path. From what I can tell, it looks like FireDaemon OpenSSL would have a libcrypto.dll. The Yubico PIV Tool is shipped with the libcrypto.dll it depends on. So if the libcrypto.dll in C:\Program Files\FireDaemon OpenSSL 3\bin has a different version than the one on C:\Program Files\Yubico\Yubico PIV Tool\bin, this could cause a clash that causes ykcs11 not finding the right dependency since only the first libcrypto in the path gets loaded.

Can we try the following two workarounds to see if my theory that it's about the libcrypto version is correct or if we're looking in the wrong direction?

1- Navigate to C:\Program Files\Yubico\Yubico PIV Tool\bin then run the ssh-add command from there as follows ssh-add -v -v -v -s ./libykcs11.dll

2- Put C:\Program Files\Yubico\Yubico PIV Tool\bin first in the path, then run the ssh-add command the way it is in the question of the issue.

aveenismail avatar Jan 16 '25 08:01 aveenismail

On 2025-01-16 03:25, Aveen Ismail wrote:

Can we try the following two workarounds to see if my theory that it's about the libcrypto version is correct or if we're looking in the wrong direction?

1- Navigate to |C:\Program Files\Yubico\Yubico PIV Tool\bin| then run the ssh-add command from there as follows |ssh-add -v -v -v -s ./libykcs11.dll | 2- Put |C:\Program Files\Yubico\Yubico PIV Tool\bin| first in the path, the run the ssh-add command the way it is in the question of the issue.

I set the path to the following:

C:\Program Files\PowerShell\7; C:\Program Files\Yubico\Yubico PIV Tool\bin; C:\WINDOWS\system32; C:\WINDOWS;C:\WINDOWS\System32\Wbem; C:\Program Files\PowerShell\7; C:\WINDOWS\System32\WindowsPowerShell\v1.0; C:\Program Files\FireDaemon OpenSSL 3\bin; C:\Program Files\OpenSC Project\OpenSC\pkcs11; C:\Program Files\Yubico\YubiKey Manager CLI; C:\WINDOWS\System32\OpenSSH; C:\Program Files\WinGet\Links; C:\Program Files (x86)\Gpg4win..\GnuPG\bin; C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;

I get the same result:

cd 'C:\Program Files\Yubico\Yubico PIV Tool\bin' ssh-add -v -v -v -s ./libykcs11.dll Enter passphrase for PKCS#11: Could not add card "./libykcs11.dll": agent refused operation

-- JP

jplejacq-quoininc-com avatar Jan 16 '25 16:01 jplejacq-quoininc-com

+1

emilio-toledo avatar Feb 17 '25 03:02 emilio-toledo

Same issue here. I also started with Winget and Piv-Tool v2.5.1, got the same error, and tried all the workarounds above with no luck. I uninstalled Piv-Tool v2.5.2, downloaded the latest 2.7.0, and tried the same steps, but I still had the same issue. Tried:

  1. Navigate to C:\Program Files\Yubico\Yubico PIV Tool\bin then run the ssh-add command from there as follows: ssh-add -v -v -v -s ./libykcs11.dll
  2. Put C:\Program Files\Yubico\Yubico PIV Tool\bin first in the path, then run the ssh-add command the way it is in the question of the issue.

All of these were in the Admin command prompt.

lashchev avatar Mar 29 '25 07:03 lashchev

This is what worked for me:

Steps:

  1. Add C:\Program Files\Yubico\Yubico PIV Tool\bin as the first line in the System PATH Environment variable. Not in the User PATH since it should be picked up by ssh-agent service.
  2. Open a new Admin Command Prompt
  3. Restart ssh-agent service by running: net stop ssh-agent && net start ssh-agent
  4. Run: ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
  5. Enter your PIN manually; do not use Copy/Paste.

You should see: Image

If it fails:

  1. Go to Event Viewer > Applications and Services Logs > OpenSSH > Admin and review 2 latest errors
  2. If you see ".... The specified module could not be found." => Check that you configured PATH and restarted the service. Try rebooting the machine as well.
  3. If you see "... C_Login failed ... " => check your PIN. You can validate it by running "C:\Program Files\Yubico\Yubico PIV Tool\bin\yubico-piv-tool.exe" -a verify-pin

Hope this helps

lashchev avatar Mar 29 '25 08:03 lashchev

On 2025-03-29 04:52, Vladimir Lashchev wrote:

This is what worked for me:

Steps:

  1. Add /C:\Program Files\Yubico\Yubico PIV Tool\bin/ as the first line in the System PATH Environment variable. Not in the User PATH since it should be picked up by /ssh-agent/ service.
  2. Open a new Admin Command Prompt
  3. Restart /ssh-agent/ service by running: /net stop ssh-agent && net start ssh-agent/
  4. Run: /ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"/
  5. Enter your PIN manually; do not use Copy/Paste.

Thanks for posting a working solution.

Is the critical step number two? Do ssh-agent and ssh-add have to execute with elevated privileges?

If so, this is odd and somewhat worrisome. When using opensc, elevated privileges are not required.

-- JP

jplejacq-quoininc-com avatar Mar 29 '25 16:03 jplejacq-quoininc-com

thanks, this solve the issue and help to remove the use of gpg-agent, now gpg is only needed to some setup (for me is easiest this way), but now will always use this PCKs#11 (Will need to study this now).

Thanks.

DevDorrejo avatar Oct 27 '25 22:10 DevDorrejo