openssh unix dev - Oct 2025 - OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens

On Tue, 7 Oct 2025, Joost van Dijk wrote:
> Hi,
> 
> I noticed from the release notes that OpenSSH 10.1p1 now supports ed25519
keys hosted on PKCS#11 tokens. Nice!
> 
> I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew using
an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4).
> Although this works fine, I ran into an issue generating the corresponding
SSH public key file.
> 
> I am using Yubico?s PKCS#11 module (libykcs11, version 2.7.2 installed with
yubico-piv-tool using homebrew), pointed to by $YKCS_P11.
> When I try to download the public keys from the token, it seems ssh-keygen
doesn?t know about ed25519 keys yet:
> 
> $ ssh-keygen -D $YKCS_P11 -vv
[...]
> skipping unsupported key type
This line tells me you're not actually running OpenSSH 10.1.

The current code prints the type number when it sees an unsupported key:

  1473          error("skipping unsupported certificate type %lu",
  1474              ck_cert_type);

You must be running an older version.

I just checked that ssh-keygen -D does work with a yk5 and ykcs11,
though I did notice that it crashes at exit. I'll commit a fix.

-d

On Wed, 8 Oct 2025, Damien Miller wrote:
> On Tue, 7 Oct 2025, Joost van Dijk wrote:
> 
> > Hi,
> > 
> > I noticed from the release notes that OpenSSH 10.1p1 now supports
ed25519 keys hosted on PKCS#11 tokens. Nice!
> > 
> > I tested this on macOS 26 (Tahoe) with OpenSSH installed via Homebrew
using an ed25519 key hosted on a PKCS#11 token (a YubiKey 5.7.4).
> > Although this works fine, I ran into an issue generating the
corresponding SSH public key file.
> > 
> > I am using Yubico?s PKCS#11 module (libykcs11, version 2.7.2 installed
with yubico-piv-tool using homebrew), pointed to by $YKCS_P11.
> > When I try to download the public keys from the token, it seems
ssh-keygen doesn?t know about ed25519 keys yet:
> > 
> > $ ssh-keygen -D $YKCS_P11 -vv
> [...]
> > skipping unsupported key type
> 
> This line tells me you're not actually running OpenSSH 10.1.
> 
> The current code prints the type number when it sees an unsupported key:
> 
>   1473          error("skipping unsupported certificate type
%lu",
>   1474              ck_cert_type);
sorry, those are the wrong lines. The correct ones are:

  1588          error("skipping unsupported key type 0x%lx",
  1589              (u_long)ck_key_type);

but the point stands :)

On 08/10/2025 05:32, Damien Miller wrote:
> This line tells me you're not actually running OpenSSH 10.1.
>
> The current code prints the type number when it sees an unsupported key:
But the second part of the problem - importing/converting a standalone 
ed25519 public key - still stands with 10.1p1 I believe.

% cat 9a.pem
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAca9+HUq6ZetwNmzURWp2LMqlWUnsl6VKTcyYVMv5NFs-----END PUBLIC
KEY-----
% ssh-keygen -i -m PKCS8 -f 9a.pem
do_convert_from_pkcs8: unsupported pubkey type 1087
% ssh-keygen -i -m PEM -f 9a.pem
do_convert_from_pem: unrecognised raw private key format
% openssl pkey -in 9a.pem -pubin -noout -text
ED25519 Public-Key:
pub:
 ? ? 71:af:7e:1d:4a:ba:65:eb:70:36:6c:d4:45:6a:76:
 ? ? 2c:ca:a5:59:49:ec:97:a5:4a:4d:cc:98:54:cb:f9:
 ? ? 34:5b
% which ssh-keygen
/opt/homebrew/bin/ssh-keygen
% ls -l /opt/homebrew/bin/ssh-keygen
lrwxr-xr-x? 1 brian? admin? 39? 7 Oct 13:39 /opt/homebrew/bin/ssh-keygen 
-> ../Cellar/openssh/10.1p1/bin/ssh-keygen