Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

opensc-pkcs11 not working with ssh-agent anymore on macOS 10.12.4 #1007

bwesterb opened this issue Mar 28, 2017 · 5 comments


None yet
4 participants
Copy link

commented Mar 28, 2017

Expected behaviour

I insert my yubiKey, run

ssh-add -s/opt/local/lib/

enter my PIN and now can successfully use my yubiKey for ssh without typing the PIN every time. This works on macOS 10.12.3.

Actual behaviour

I just updated to macOS 10.12.4 and this stopped working with the following generic error message.

$ ssh-add -s/opt/local/lib/
Enter passphrase for PKCS#11: 
Could not add card "/opt/local/lib/": agent refused operation

However, running ssh directly still works fine.

$ ssh -I/opt/local/lib/ user@myserver
Enter PIN for 'PIV_II (PIV Card Holder pin)':


  • I installed opensc via mac ports: opensc @0.16.0_0+readline
  • I use the ssh & ssh-agent that comes with macOS 10.12.4


Enabling logging (debug = 3) does not add anymore output to the failing ssh-add. (However, it adds lots of data to the ssh call, but that is working as expected.)


This comment has been minimized.

Copy link

commented Mar 28, 2017

I've seen this as well...similar circumstances to you but with ePass2003 tokens. I tried with OpenSC installed via homebrew and with the pkg.

Thanks for posting the workaround of ssh -I.


This comment has been minimized.

Copy link

commented Mar 28, 2017

macOS 10.12.4 includes a new version of OpenSSH...the behavior of ssh-agent has changed such that you need to "whitelist" the location of pkcs11 libraries. See the manual page for ssh-agent and the -P option. It's not clear to me that there's anything for the OpenSC project to do about this.


This comment has been minimized.

Copy link

commented Mar 28, 2017

Indeed, by default /opt is not in the whitelist. I moved under /usr/local/lib which is whitelisted. That fixed it. Thanks!

(I didn't know where the problem lied, sorry for the misreport.)


This comment has been minimized.

Copy link

commented Apr 18, 2018

Please note for OsX.
symbolic linking the lib from the /Library/OpenSC/lib/ location will not work. You have to either "move" it or copy it into the /usr/local/lib directory.


This comment has been minimized.

Copy link

commented Dec 4, 2018

I found it also possible to whitelist /opt/local/lib/ itself by having launchd start ssh-agent with the -P/opt/local/lib/ option, by changing /System/Library/LaunchAgents/com.openssh.ssh-agent.plist to

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

and then rebooting.

N.B. To change com.openssh.ssh-agent.plist one must (temporarily) disable system integrity protection by running csrutil disable in recovery mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.