From: Sébastien Bourdeauducq <sb@m-labs.hk>
Subject: [bug] "failed to fetch key" messages when libykcs11 is both in ssh-agent and PKCS11Provider
To: ports@openbsd.org
Date: Sun, 5 Oct 2025 08:25:45 +0800

Hello,

Since OpenBSD 7.8-CURRENT, configuring libykcs11 for use both with and 
without ssh-agent, e.g.

 > cat ~/.ssh/config
PKCS11Provider /usr/local/lib/libykcs11.so.1.1
 > ssh-add -s/usr/local/lib/libykcs11.so.1.1

causes three "failed to fetch key" messages to appear when connecting to 
a host:
 > ssh target
failed to fetch key
failed to fetch key
failed to fetch key

This setup is useful when using several different yubikeys, some not 
being registered with ssh-agent.

The messages are a mere inconvenience, the connection proceeds normally.

The -v flag shows more information:
debug1: OpenSSH_10.0, LibreSSL 4.2.0
debug1: Reading configuration data /home/sb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to target [192.168.1.1] port 22.
debug1: Connection established.
debug1: provider /usr/local/lib/libykcs11.so.1.1: manufacturerID <Yubico 
(www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV 
Library (SP-800-73)> libraryVersion 2.71
debug1: provider /usr/local/lib/libykcs11.so.1.1 slot 0: label <YubiKey 
PIV #xxxx> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> 
serial <xxxx> flags 0x40d
debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
debug1: have 1 keys
debug1: pkcs11_record_key: RSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19
debug1: have 2 keys
debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
failed to fetch key
debug1: pkcs11_record_key: RSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 19
failed to fetch key
debug1: pkcs11_record_key: ECDSA key: provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
debug1: pkcs11_record_key: Already seen this key at provider 
/usr/local/lib/libykcs11.so.1.1 slot 0 keyid 01
failed to fetch key

Regards,
Sébastien