Foxboron
PKCS#11 modules not being loaded
OpenSSH's ssh-agent supports accessing keys from other hardware tokens through PKCS#11 modules, using ssh-add -s <path>. Currently ssh-tpm-agent doesn't pass through the load requests at all, although once the module has been loaded directly (by temporarily pointing ssh-add directly to the main ssh-agent socket), all regular operations work fine.
ssh-add -s <path> uses opcode 20 to load modules, while ssh-add -e <path> uses opcode 21 to unload them.
SoftHSM extra/softhsm can be used for testing.
-
Init and populate token (otherwise ssh-agent itself will reject empty tokens):
optional: $ export SOFTHSM2_CONF=/tmp/softhsm2.conf $ mkdir -p /tmp/softhsm2.data $ echo 'directories.tokendir = /tmp/softhsm2.data' > $SOFTHSM2_CONF $ softhsm2-util --init-token --free --label yay --so-pin yay1 --pin yay2 $ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \ --login --pin yay2 --keypairgen --key-type EC:prime256v1 --label testkey $ pkcs11-tool --module /usr/lib/pkcs11/libsofthsm2.so --token-label yay \ --login --pin yay2 --list-objects -
Testing:
$ ssh-agent -d -a /tmp/plain.sock & $ ssh-tpm-agent -d -A /tmp/plain.sock -l /tmp/tpm.sock$ export SOFTHSM2_CONF=/tmp/softhsm2.conf $ export SSH_AUTH_SOCK=/tmp/tpm.sock $ ssh-add -s /usr/lib/pkcs11/libsofthsm2.so Enter passphrase for PKCS#11: yay2 Could not add card "/usr/lib/pkcs11/libsofthsm2.so": agent refused operation
Debug output from ssh-tpm-agent:
time=2025-08-19T15:02:52.248+03:00 level=INFO msg="agent 20: unknown opcode 20"
Seems like the Golang agent implementation ignores this.
https://github.com/golang/crypto/blob/44ecf3af9978b32529ce689a6964bd557c79aa1c/ssh/agent/server.go#L76
So gotta patch upstream I think? Can see if I can submit a patch or work around this.
Thanks. For now I can generally just do SSH_AUTH_SOCK=... ssh-add as a workaround, if I ever reboot.
Drafted an upstream change to support this: https://github.com/golang/crypto/pull/332