https://developers.yubico.com/yubico-pi ... KCS11.html
First, to remove the PKCS#11 lib from the ssh-agent, you need:
Code:
ssh-add -e $OPENSC_LIBS/opensc-pkcs11.so
Using "ssh-add -D" won't work even though "ssh-add -l" will keep telling you that the identity has been removed. Even if you add the PKCS#11 token with timeout (-t parameter to ssh-add), you'll need to use the above "ssh-add -e" to remove it after the time expires. This is quite confusing and took me some time to figure out (it seems more like a bug, really).
On older distros (Scientific Linux 6.7/Centos 6.7) the "ssh-keygen -D /usr/lib64/opensc-pkcs11.so -e" seems to be broken - it won't output the token's public key, but some other key's (like id_rsa). One way to do the equivalent is to use "ssh-add -L" after adding the PKCS#11 token via "ssh-add -s". Another workaround is to convert the public.pem to ssh format through some script.
If you encounter error that says yubico-piv-tool can't communicate with card, check if process called "pcsc-wrapper" is not running - it's part of gnupg and it's preventing yubico-piv-tool from communicating with the card (just kill pcsc-wrapper).
I've tried also working with the token using pkcs15-tool from OpenSC, but it seems largely not helpful. It can dump token contents via "pkcs15-tool -D", but that's about it. Using it to export public key in PEM/ssh format fails with Public key enumeration failed: Not implemented.Statistics: Posted by hiviah — Sun Nov 15, 2015 6:23 pm
]]>