Skip to main content

Using ssh authentication agent ssh-add with smartcards

Using ssh-agent allows to use smartcards easily, as you just enter your PIN code once in a session.

Adding keys from PKCS#11 provider

If you are running OpenSSH in a shell environment, to load keys, type:

GNU/Linux:

$ ssh-add -s /usr/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:

Mac OS X:

$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:

Enter PIN code to authenticate.

Now verify that keys have been loaded:

$ ssh-add -l
2048 75:9e:dd:32:aa:*************:fb:57:1f:ad:2e /usr/lib/opensc-pkcs11.so (RSA)
2048 41:16:d5:c0:37:*************:75:d6:f1:81:dc /usr/lib/opensc-pkcs11.so (RSA)

You will be able to use SSH, SCP, SFTP without entering PIN code again.

Now you may also comment this line, which becomes useless:

# PKCS11Provider /usr/lib/opensc-pkcs11.so

as ssh-agent will load RSA keys from smartcards.

Removing keys provided by PKCS#11 provider

Using the usual command does not work:

$ ssh-add -D

This will remove all identities, but the smartcard system will be left in a unusable state.

Instead, you should run:
GNU/Linux:

$ ssh-add -e /usr/lib/opensc-pkcs11.so

Mac OS X:

$ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so