Suggested edit for PIV/Guides/SSH_with_PIV_and_PKCS11

[rosly]

Hi,

I don't think that this statement is true: "Generate or import a key in slot 9a (any slot should suffice):" AFAIK there is no way to tell the ssh to authenticate by slot different than the one for authentication. If there is a way, please describe it.

[daemonhorn]

If you utilize the libykcs11 version of the library from yubico-piv-tool, it will automatically populate PIV keys from any generated slot. I have successfully used this. Successful on Linux/FreeBSD/Windows. If you use a non-yubico piv pkcs11 module, it may only access the first slot.

Current debug output from ssh with yubico-piv-tool release version 2.3 of libykcs11.dll

e.g.:
ssh -v -I "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" user@debian11 OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3 debug1: Reading configuration data C:\Users\daemo/.ssh/config debug1: Connecting to debian9 [192.168.0.110] port 22. debug1: Connection established. debug1: provider C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.30 debug1: provider C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll slot 0: label <YubiKey PIV #15201255> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <15201255> flags 0x40d debug1: have 1 keys debug1: have 2 keys debug1: have 3 keys debug1: have 4 keys

[joostd]

Indeed, YKCS11 will access multiple slots when searching for keys.