My platform: macOS Sierra 10.12.1, Xcode-8.0.0, Macports-2.3.4, Macports-installed OpenSSH_7.3p1. First problem: OpenSSH seems to ignore PKCS11Provider configuration variable in ~/.ssh/config file (and in the system/global config files as well). It acts as if it hasn?t been set: $ ssh -V OpenSSH_7.3p1, OpenSSL 1.0.2j 26 Sep 2016 $ ssh-keygen -D pkcs11 -e dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found. Did find: /opt/local/lib/pkcs11: not a file /Library/OpenSC/lib/pkcs11: not a file cannot read public key from pkcs11 $ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e ssh-rsa AAAAB3NzaC1yc2EA . . . . . $ ssh -I pkcs11 github.com dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found. Did find: /opt/local/lib/pkcs11: not a file /Library/OpenSC/lib/pkcs11: not a file Permission denied (publickey). $ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so github.com Enter PIN for 'PIV Card Holder pin (PIV_II)': PTY allocation request failed on channel 0 Hi xxxxxx! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $ fgrep PKCS11 ~/.ssh/config PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.dylib $ I?d appreciate some guidance on use of PKCS11Provider config parameter (if I?m doing something wrong with it), or fixing the bug of ignoring it (if my attempts to use it were correct). Second problem - the build seems to require at runtime not only exactly the same version, but exactly the same build of the OpenSSL. Which means that if I make any update or bug fix to OpenSSL that does not affect the interface at all - I still have to re-install OpenSSH. It would be great if OpenSSH could limit its OpenSSL runtime validation to at least the exact version (say, 1.0.2-stable). It really is both inconvenient and unnecessary to have to rebuild OpenSSH every time. Thank you! Since I?m not a subscriber to this list (don?t have to contribute much), so please copy the replies to my email. Thanks again! -- Uri Blumenthal uri at mit.edu -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1534 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161025/9780428b/attachment.bin>