Reputation: 21
How to add multiple yubikey PIV authentication keys to ssh-agent with ssh-add?
I have to ssh through a jump host to a remote server, both the jumpbox and the remote server have their own ssh keys stored on yubikeys.
When I have tried using ssh-agent with ssh-add to add the keys it only prompted me for one yubikey pin (even when both were plugged in), furthermore I have no way of knowing which key it was loading or which pin to use - although ssh-add seems to figure out which card to add based on which PIN I enter:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Enter passphrase for PKCS#11: <PIN #1>
Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
and when trying to add the other key, it fails:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Enter passphrase for PKCS#11: <PIN #2>
Could not add card "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so": agent refused operation
trying with libykcs11 also fails when trying to add the second card (after successfully loading the first):
$ ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so
Enter passphrase for PKCS#11: <PIN #2>
Could not add card "/usr/lib/x86_64-linux-gnu/libykcs11.so": agent refused operation
Using ubuntu 16.04.
Upvotes: 2
Views: 1434
Answers (1)
Reputation: 11
According to a detailed report:
https://www.spinics.net/lists/openssh-unix-dev/msg06440.html
it seems each "provider" or pkcs11 library, can only be added once.
Upvotes: 1
Related Questions
- Adding SSH keys to SSH-Agent in Git Windows
- How to make ssh-add read passphrase from a varible?
- "Enter PIN for Authenticator" for command ssh-add -K
- Can't add ssh key to the ssh agent
- ssh: adding private key to ssh-agent before copying public key to remote server
- Add certificate to ssh-agent for a key that's already inside the agent
- execute ssh-add with ansible raise an error
- using paramiko how to add ssh key to ssh-agent for multiple hops
- how add public key to ssh-agent permanently
- adding private key to ssh agent