libykcs11 fails to load key into Windows 11 native ssh-agent

[jplejacq-quoininc-com]

OS: Windows 11 Pro 24H2
openssh: OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 (native package that is part of Windows)
libykcs11: Yubico.Piv-Tool 2.5.1
opensc-pkcs11.dll: OpenSC.OpenSC 0.23.0.0

If I follow the instructions provided by Yubico [1] or the substantially better instructions provided by [2], I always get the following error:

> ssh-add -v -v -v -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
Enter passphrase for PKCS#11:
Could not add card "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll": agent refused operation

The Window event log show two messages:

ssh-pkcs11-helper: error: dlopen C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll failed: The specified module could not be found.
ssh-agent: error: process_add_smartcard_key: failed to add key to store. count:-1

I tried numerous variations on forward/backward slashes for directory separators. I always get the same result. The path is correct as well as the permissions.

The Windows native ssh works fine with libykcs11.dll, it's only ssh-add that fails.

ssh-add works fine with OpenSC library, opensc-pkcs11.dll.

[1] https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client
[2] https://gist.github.com/daemonhorn/a6af1b76457b2c10b8058d0a2c919bc3

[wampum]

I get the same output / error as you with an invalid path to libykcs11.dll.

My guess is that you have installed the x86 32 bit version of yubico-piv-tool. If not, the dll is probably installed somewhere non-standard

[jplejacq-quoininc-com]

On 2025-01-13 08:30, wampum wrote: I get the same output / error as you with an invalid path to libykcs11.dll. My guess is that you have installed the x86 32 bit version of yubico- piv-tool. If not, the dll is probably installed somewhere non-standard — Reply to this email directly, view it on GitHub <https://github.com/ Yubico/yubico-piv-tool#527#issuecomment-2587111913>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/

Thanks for taking a look at this. I installed the yubico-piv-tool using winget and used the default location for all files. The dll is indeed in the correct place and it works fine for PIV operations in browsers. I installed the latest version, 2.5.1. C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll I also confirmed it is the 64 bit version.

…

-- JP

[ian-harwood]

I hit the same problem. The fix for me was to put C:\Program Files\Yubico\Yubico PIV Tool\bin on the System Path, not the User Path. It also needs to be ahead of %SYSTEMROOT%\System32\OpenSSH\ on the System Path.

Restart the OpenSSH Authentication Agent service after updating the System Path.

[aveenismail]

The YKCS11 module has dependency on libykpiv and libcrypto, so they both need to be in PATH for the YKCS11 to work. The easiest solution is the one @ian-harwood wrote.

[jplejacq-quoininc-com]

On 2025-01-15 11:26, Aveen Ismail wrote: The YKCS11 module has dependency on libykpiv and libcrypto, so they both need to be in PATH for the YKCS11 to work. The easiest solution is the one @ian-harwood <https://github.com/ian-harwood> wrote.

Still fails for me. I have libykpiv in the system environment path. I'm not sure which libcrypto you are referring to but i have at least the Windows libcrypto.dll in the path. Here is my Path, formatted to be a little easier to read. $env:Path C:\Program Files\PowerShell\7; C:\Program Files\FireDaemon OpenSSL 3\bin\; C:\WINDOWS\system32; C:\WINDOWS;C:\WINDOWS\System32\Wbem; C:\Program Files\PowerShell\7\; C:\WINDOWS\System32\WindowsPowerShell\v1.0\; C:\Program Files\FireDaemon OpenSSL 3\bin; C:\Program Files\Yubico\Yubico PIV Tool\bin\; C:\Program Files\OpenSC Project\OpenSC\pkcs11; C:\Program Files\Yubico\YubiKey Manager CLI\; C:\WINDOWS\System32\OpenSSH\; C:\Program Files\WinGet\Links; C:\Program Files (x86)\Gpg4win\..\GnuPG\bin; C:\Program Files\PowerShell\7\; C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;

…

-- JP

[aveenismail]

I see two occurrences of C:\Program Files\FireDaemon OpenSSL 3\bin before the Yubico PIV Tool path in the output of $env:Path. From what I can tell, it looks like FireDaemon OpenSSL would have a libcrypto.dll. The Yubico PIV Tool is shipped with the libcrypto.dll it depends on. So if the libcrypto.dll in C:\Program Files\FireDaemon OpenSSL 3\bin has a different version than the one on C:\Program Files\Yubico\Yubico PIV Tool\bin, this could cause a clash that causes ykcs11 not finding the right dependency since only the first libcrypto in the path gets loaded.

Can we try the following two workarounds to see if my theory that it's about the libcrypto version is correct or if we're looking in the wrong direction?

1- Navigate to C:\Program Files\Yubico\Yubico PIV Tool\bin then run the ssh-add command from there as follows
ssh-add -v -v -v -s ./libykcs11.dll

2- Put C:\Program Files\Yubico\Yubico PIV Tool\bin first in the path, then run the ssh-add command the way it is in the question of the issue.

[jplejacq-quoininc-com]

On 2025-01-16 03:25, Aveen Ismail wrote: Can we try the following two workarounds to see if my theory that it's about the libcrypto version is correct or if we're looking in the wrong direction? 1- Navigate to |C:\Program Files\Yubico\Yubico PIV Tool\bin| then run the ssh-add command from there as follows |ssh-add -v -v -v -s ./libykcs11.dll | 2- Put |C:\Program Files\Yubico\Yubico PIV Tool\bin| first in the path, the run the ssh-add command the way it is in the question of the issue.

I set the path to the following: C:\Program Files\PowerShell\7; C:\Program Files\Yubico\Yubico PIV Tool\bin\; C:\WINDOWS\system32; C:\WINDOWS;C:\WINDOWS\System32\Wbem; C:\Program Files\PowerShell\7\; C:\WINDOWS\System32\WindowsPowerShell\v1.0\; C:\Program Files\FireDaemon OpenSSL 3\bin; C:\Program Files\OpenSC Project\OpenSC\pkcs11; C:\Program Files\Yubico\YubiKey Manager CLI\; C:\WINDOWS\System32\OpenSSH\; C:\Program Files\WinGet\Links; C:\Program Files (x86)\Gpg4win\..\GnuPG\bin; C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps; I get the same result: cd 'C:\Program Files\Yubico\Yubico PIV Tool\bin' ssh-add -v -v -v -s ./libykcs11.dll Enter passphrase for PKCS#11: Could not add card "./libykcs11.dll": agent refused operation

…

-- JP