diff --git a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
index e8507e1..6bcbf4b 100644
--- a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
@@ -25,6 +25,7 @@
    org.eclipse.jgit.transport",
  org.eclipse.jgit.internal.transport.sshd.agent;version="6.7.0";x-internal:=true,
  org.eclipse.jgit.internal.transport.sshd.auth;version="6.7.0";x-internal:=true,
+ org.eclipse.jgit.internal.transport.sshd.pkcs11;version="6.7.0";x-internal:=true,
  org.eclipse.jgit.internal.transport.sshd.proxy;version="6.7.0";x-friends:="org.eclipse.jgit.ssh.apache.test",
  org.eclipse.jgit.transport.sshd;version="6.7.0";
   uses:="org.eclipse.jgit.transport,
diff --git a/org.eclipse.jgit.ssh.apache/README.md b/org.eclipse.jgit.ssh.apache/README.md
index f06b2f6..b2911c6 100644
--- a/org.eclipse.jgit.ssh.apache/README.md
+++ b/org.eclipse.jgit.ssh.apache/README.md
@@ -73,7 +73,8 @@
 * **IdentityAgent** can be set to choose which SSH agent to use, if there are several running.
   It can also be set to `none` to explicitly switch off using an SSH agent at all.
 * **IdentitiesOnly** if set to `yes` and an SSH agent is used, only keys from the agent that are
-  also listed in an `IdentityFile` property will be considered. (It'll also switch off trying
+  also listed in an `IdentityFile` property and for which the public key is available in a
+  corresponding `*.pub` file will be considered. (It'll also switch off trying
   default key names, such as `~/.ssh/id_rsa` or `~/.ssh/id_ed25519`; only keys listed explicitly
   will be used.)
 
@@ -90,6 +91,57 @@
 not supported in JGit if its built-in SSH implementation is used. ed448 or other unsupported keys
 provided by an SSH agent are ignored.
 
+## PKCS#11 support
+
+JGit supports using PKCS#11 HSMs (Hardware Security Modules) such as YubiKey PIV for SSH
+authentication.
+
+Using such a PKCS#11 token for SSH authentication can be configured in `~/.ssh/config` with a
+configuration
+
+```
+  PCKS11Provider /absolute/path/to/vendor/library.so
+```
+
+instead of or in addition to `IdentityFile` or `IdentityAgent`. PKCS#11 keys are considered before
+keys from an SSH agent. If `IdentitiesOnly` is also set, only keys listed in `IdentityFile` for which
+the public key is available in a corresponding `*.pub` file are considered.
+
+If `PKCS11Provider` is not set, or is set to the value `none`, no PKCS#11 library is used.
+
+This is all as in OpenSSH.
+
+Keys from PKCS#11 tokens are never added to an SSH agent; the `AddKeysToAgent` configuration has
+no effect for PKCS#11 keys in JGit. It makes only sense if someone is using agent forwarding and
+it requires the SSH agent to understand the `SSH_AGENTC_ADD_SMARTCARD_KEY` command. It is unknown
+which SSH agents support this (OpenSSH does), the SSH library used by JGit has no API for it,
+and JGit doesn't do agent forwarding anyway. (To hop through servers to a git repository use
+`ProxyJump` instead.)
+
+JGit by default uses the first token (the default `slotListIndex` zero). The Java KeyStore or
+[Provider configuration](https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html)
+does not seem to have any support for [RFC7512](https://www.rfc-editor.org/rfc/rfc7512) URIs
+to select the token. JGit provides a custom SSH configuration `PKCS11SlotListIndex` that can be
+set to the slot index of the token wanted. The value should be a non-negative integer. If not
+set or if negative, the first token (slot list index zero) is used. (Note that the value is the
+slot *index*, not the slot ID. Slot IDs are not necessarily stable.)
+
+If you *do* set `PKCS11SlotListIndex` anywhere in your configuration file, then you should also
+set at the very top of the `~/.ssh/config` file:
+
+```
+IgnoreUnknown PKCS11SlotListIndex
+```
+
+The `IgnoreUnknown` configuration tells OpenSSH to ignore configurations it doesn't know about.
+Without this option, OpenSSH will issue an error and exit if the config file contains
+`PKCS11SlotListIndex`. The `IgnoreUnknown` option is available in OpenSSH since version 6.3
+from 2013-09-13. See the [OpenSSH documentation](https://man.openbsd.org/ssh_config.5#IgnoreUnknown)
+for details.
+
+If a token has multiple certificates and keys, a specific one can be selected by exporting
+the public key to a file and then using `IdentitiesOnly` and an `IdentityFile` configuration.
+
 ## Using a different SSH implementation
 
 To use a different SSH implementation:
diff --git a/org.eclipse.jgit.ssh.apache/manual_tests.txt b/org.eclipse.jgit.ssh.apache/manual_tests.txt
new file mode 100644
index 0000000..ea3e59c
--- /dev/null
+++ b/org.eclipse.jgit.ssh.apache/manual_tests.txt
@@ -0,0 +1,45 @@
+Testing PKCS11 support
+----------------------
+
+# Install SoftHSM and OpenSC
+
+I got SoftHSM via MacPorts, and OpenSC from https://github.com/OpenSC/OpenSC#downloads
+
+You need both; softhsm2-util cannot import certificates.
+
+# Initialize SoftHSM
+
+$ softhsm2-util --init-token --slot 0 --label "TestToken" --pin 1234 --so-pin 4567
+The token has been initialized and is reassigned to slot 2006661923
+
+# Create a new RSA key and certificate
+
+$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj "/CN=MyCertTEST" -nodes
+
+# Import the RSA key pair into the SoftHSM token
+
+$ softhsm2-util --import key.pem --slot 2006661923 --label "testkey" --id 1212 --pin 1234
+
+# Convert the certificate to DER and import it into SoftHSM token
+
+$ openssl x509 -in cert.pem -out cert.der -outform DER
+$ pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so -l --id 1212 --label "testcert" -y cert -w cert.der --pin 1234
+
+# Export the RSA public key convert to PEM, and show in SSH format
+# (I'm sure this could be done simpler from the original key.pem, but what the heck.)
+
+pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so --slot 2006661923 --read-object --type pubkey --id 1212 -o key.der
+openssl rsa -pubin -inform DER -in key.der -outform PEM -out key.pub.pem
+ssh-keygen -f key.pub.pem -m pkcs8 -i
+
+# Install that public key at Gerrit (or your git server of choice)
+
+# Have an ~/.ssh/config with a host entry for your git server using the SoftHSM library as PKCS11 provider:
+
+Host gitserver
+Hostname git.eclipse.org
+Port 29418
+User ...
+PKCS11Provider /opt/local/lib/softhsm/libsofthsm2.so
+
+# Fetch from your git server! When asked for the PIN, enter 1234.
diff --git a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
index c676221..7da7181 100644
--- a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
+++ b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties
@@ -32,17 +32,17 @@
 gssapiInitFailure=GSS-API initialization failure for mechanism {0}
 gssapiUnexpectedMechanism=Server {0} replied with unknown mechanism name ''{1}'' in {2} authentication
 gssapiUnexpectedMessage=Received unexpected ssh message {1} in {0} authentication
-identityFileCannotDecrypt=Given passphrase cannot decrypt identity {0}
+identityFileCannotDecrypt=Given passphrase cannot read identity {0}
 identityFileNoKey=No keys found in identity {0}
 identityFileMultipleKeys=Multiple key pairs found in identity {0}
 identityFileNotFound=Skipping identity ''{0}'': file not found
 identityFileUnsupportedFormat=Unsupported format in identity {0}
 invalidSignatureAlgorithm=Signature algorithm ''{0}'' is not valid for a key of type ''{1}''
 kexServerKeyInvalid=Server key did not validate
-keyEncryptedMsg=Key ''{0}'' is encrypted. Enter the passphrase to decrypt it.
+keyEncryptedMsg=''{0}'' needs a passphrase to be read.
 keyEncryptedPrompt=Passphrase
-keyEncryptedRetry=Encrypted key ''{0}'' could not be decrypted. Enter the passphrase again.
-keyLoadFailed=Could not load key ''{0}''
+keyEncryptedRetry=''{0}'' could not be read. Enter the passphrase again.
+keyLoadFailed=Could not load ''{0}''
 knownHostsCouldNotUpdate=Could not update known hosts file {0}
 knownHostsFileLockedUpdate=Could not update known hosts file (locked) {0}
 knownHostsFileReadFailed=Failed to read known hosts file {0}
@@ -69,6 +69,14 @@
 knownHostsUserAskCreationPrompt=Create file {0} ?
 loginDenied=Cannot log in at {0}:{1}
 passwordPrompt=Password
+pkcs11Error=ERROR: {0}
+pkcs11FailedInstantiation=HostConfig for host {0} (hostname {1}): could not instantiate {2} {3}
+pkcs11GeneralMessage=Java reported for PKCS#11 token {0}: {1}
+pkcs11NoKeys=HostConfig for host {0} (hostname {1}) {2} {3} did not provide any keys
+pkcs11NonExisting=HostConfig for host {0} (hostname {1}) {2} {3} does not exist or is not a file
+pkcs11NotAbsolute=HostConfig for host {0} (hostname {1}) {2} {3} is not an absolute path
+pkcs11Unsupported=HostConfig for host {0} (hostname {1}) {2} {3}: PKCS#11 is not supported
+pkcs11Warning=WARNING: {0}
 proxyCannotAuthenticate=Cannot authenticate to proxy {0}
 proxyHttpFailure=HTTP Proxy connection to {0} failed with code {1}: {2}
 proxyHttpInvalidUserName=HTTP proxy connection {0} with invalid user name; must not contain colons: {1}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
index 76175cc..c19a04d 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
@@ -27,6 +27,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Supplier;
 
 import org.apache.sshd.client.ClientBuilder;
 import org.apache.sshd.client.ClientFactoryManager;
@@ -55,6 +56,7 @@
 import org.eclipse.jgit.internal.transport.sshd.proxy.StatefulProxyConnector;
 import org.eclipse.jgit.transport.CredentialsProvider;
 import org.eclipse.jgit.transport.SshConstants;
+import org.eclipse.jgit.transport.sshd.KeyPasswordProvider;
 import org.eclipse.jgit.util.StringUtils;
 
 /**
@@ -69,6 +71,12 @@
 public class JGitClientSession extends ClientSessionImpl {
 
 	/**
+	 * Attribute set by {@link JGitSshClient} to make the
+	 * {@link KeyPasswordProvider} factory accessible via the session.
+	 */
+	public static final AttributeKey<Supplier<KeyPasswordProvider>> KEY_PASSWORD_PROVIDER_FACTORY = new AttributeKey<>();
+
+	/**
 	 * Default setting for the maximum number of bytes to read in the initial
 	 * protocol version exchange. 64kb is what OpenSSH &lt; 8.0 read; OpenSSH
 	 * 8.0 changed it to 8Mb, but that seems excessive for the purpose stated in
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
index e2da799..9f1df89 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2018, 2022 Thomas Wolf <thomas.wolf@paranor.ch> and others
+ * Copyright (C) 2018, 2023 Thomas Wolf <twolf@apache.org> and others
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0 which is available at
@@ -10,8 +10,12 @@
 package org.eclipse.jgit.internal.transport.sshd;
 
 import static java.text.MessageFormat.format;
+import static org.eclipse.jgit.transport.SshConstants.NONE;
+import static org.eclipse.jgit.transport.SshConstants.PKCS11_PROVIDER;
+import static org.eclipse.jgit.transport.SshConstants.PKCS11_SLOT_LIST_INDEX;
 import static org.eclipse.jgit.transport.SshConstants.PUBKEY_ACCEPTED_ALGORITHMS;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
@@ -25,6 +29,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -49,19 +54,25 @@
 import org.apache.sshd.common.config.keys.u2f.SecurityKeyPublicKey;
 import org.apache.sshd.common.signature.Signature;
 import org.apache.sshd.common.signature.SignatureFactoriesManager;
+import org.apache.sshd.common.util.GenericUtils;
 import org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile;
+import org.eclipse.jgit.internal.transport.sshd.pkcs11.Pkcs11Provider;
 import org.eclipse.jgit.transport.CredentialItem;
 import org.eclipse.jgit.transport.CredentialsProvider;
 import org.eclipse.jgit.transport.SshConstants;
 import org.eclipse.jgit.transport.URIish;
+import org.eclipse.jgit.util.FS;
 import org.eclipse.jgit.util.StringUtils;
 
 /**
  * Custom {@link UserAuthPublicKey} implementation for handling SSH config
- * PubkeyAcceptedAlgorithms and interaction with the SSH agent.
+ * PubkeyAcceptedAlgorithms and interaction with the SSH agent and PKCS11
+ * providers.
  */
 public class JGitPublicKeyAuthentication extends UserAuthPublicKey {
 
+	private static final String LOG_FORMAT = "{}"; //$NON-NLS-1$
+
 	private SshAgent agent;
 
 	private HostConfigEntry hostConfig;
@@ -102,7 +113,7 @@ public void init(ClientSession rawSession, String service)
 				super.init(session, service);
 				return;
 			}
-			log.warn(format(SshdText.get().configNoKnownAlgorithms,
+			log.warn(LOG_FORMAT, format(SshdText.get().configNoKnownAlgorithms,
 					PUBKEY_ACCEPTED_ALGORITHMS, pubkeyAlgos));
 		}
 		// TODO: remove this once we're on an sshd version that has SSHD-1272
@@ -181,7 +192,7 @@ protected PublicKeyIdentity resolveAttemptedPublicKeyIdentity(
 				} catch (IOException e) {
 					// Do not re-throw: we don't want authentication to fail if
 					// we cannot add the key to the agent.
-					log.error(
+					log.error(LOG_FORMAT,
 							format(SshdText.get().pubkeyAuthAddKeyToAgentError,
 									keyType, fingerprint),
 							e);
@@ -303,13 +314,6 @@ protected void releaseKeys() throws IOException {
 
 	private class KeyIterator extends UserAuthPublicKeyIterator {
 
-		private Iterable<? extends Map.Entry<PublicKey, String>> agentKeys;
-
-		// If non-null, all the public keys from explicitly given key files. Any
-		// agent key not matching one of these public keys will be ignored in
-		// getIdentities().
-		private Collection<PublicKey> identityFiles;
-
 		public KeyIterator(ClientSession session,
 				SignatureFactoriesManager manager)
 				throws Exception {
@@ -331,7 +335,8 @@ private List<PublicKey> getExplicitKeys(
 					}
 				} catch (InvalidPathException | IOException
 						| GeneralSecurityException e) {
-					log.warn(format(SshdText.get().cannotReadPublicKey, s), e);
+					log.warn("{}", //$NON-NLS-1$
+							format(SshdText.get().cannotReadPublicKey, s), e);
 				}
 				return null;
 			}).filter(Objects::nonNull).collect(Collectors.toList());
@@ -340,36 +345,40 @@ private List<PublicKey> getExplicitKeys(
 		@Override
 		protected Iterable<KeyAgentIdentity> initializeAgentIdentities(
 				ClientSession session) throws IOException {
-			if (agent == null) {
+			Iterable<KeyAgentIdentity> allAgentKeys = getAgentIdentities();
+			if (allAgentKeys == null) {
 				return null;
 			}
-			agentKeys = agent.getIdentities();
-			if (hostConfig != null && hostConfig.isIdentitiesOnly()) {
-				identityFiles = getExplicitKeys(hostConfig.getIdentities());
+			Collection<PublicKey> identityFiles = identitiesOnly();
+			if (GenericUtils.isEmpty(identityFiles)) {
+				return allAgentKeys;
 			}
+
+			// Only consider agent or PKCS11 keys that match a known public key
+			// file.
 			return () -> new Iterator<>() {
 
-				private final Iterator<? extends Map.Entry<PublicKey, String>> iter = agentKeys
+				private final Iterator<KeyAgentIdentity> identities = allAgentKeys
 						.iterator();
 
-				private Map.Entry<PublicKey, String> next;
+				private KeyAgentIdentity next;
 
 				@Override
 				public boolean hasNext() {
-					while (next == null && iter.hasNext()) {
-						Map.Entry<PublicKey, String> val = iter.next();
-						PublicKey pk = val.getKey();
+					while (next == null && identities.hasNext()) {
+						KeyAgentIdentity val = identities.next();
+						PublicKey pk = val.getKeyIdentity().getPublic();
 						// This checks against all explicit keys for any agent
 						// key, but since identityFiles.size() is typically 1,
 						// it should be fine.
-						if (identityFiles == null || identityFiles.stream()
+						if (identityFiles.stream()
 								.anyMatch(k -> KeyUtils.compareKeys(k, pk))) {
 							next = val;
 							return true;
 						}
 						if (log.isTraceEnabled()) {
 							log.trace(
-									"Ignoring SSH agent {} key not in explicit IdentityFile in SSH config: {}", //$NON-NLS-1$
+									"Ignoring SSH agent or PKCS11 {} key not in explicit IdentityFile in SSH config: {}", //$NON-NLS-1$
 									KeyUtils.getKeyType(pk),
 									KeyUtils.getFingerPrint(pk));
 						}
@@ -382,12 +391,157 @@ public KeyAgentIdentity next() {
 					if (!hasNext()) {
 						throw new NoSuchElementException();
 					}
-					KeyAgentIdentity result = new KeyAgentIdentity(agent,
-							next.getKey(), next.getValue());
+					KeyAgentIdentity result = next;
 					next = null;
 					return result;
 				}
 			};
 		}
+
+		private Collection<PublicKey> identitiesOnly() {
+			if (hostConfig != null && hostConfig.isIdentitiesOnly()) {
+				return getExplicitKeys(hostConfig.getIdentities());
+			}
+			return Collections.emptyList();
+		}
+
+		private Iterable<KeyAgentIdentity> getAgentIdentities()
+				throws IOException {
+			Iterable<KeyAgentIdentity> pkcs11Keys = getPkcs11Keys();
+			if (agent == null) {
+				return pkcs11Keys;
+			}
+			Iterable<? extends Map.Entry<PublicKey, String>> agentKeys = agent
+					.getIdentities();
+			if (GenericUtils.isEmpty(agentKeys)) {
+				return pkcs11Keys;
+			}
+			Iterable<KeyAgentIdentity> fromAgent = () -> new Iterator<>() {
+
+				private final Iterator<? extends Map.Entry<PublicKey, String>> iter = agentKeys
+						.iterator();
+
+				@Override
+				public boolean hasNext() {
+					return iter.hasNext();
+				}
+
+				@Override
+				public KeyAgentIdentity next() {
+					Map.Entry<PublicKey, String> next = iter.next();
+					return new KeyAgentIdentity(agent, next.getKey(),
+							next.getValue());
+				}
+			};
+			if (GenericUtils.isEmpty(pkcs11Keys)) {
+				return fromAgent;
+			}
+			return () -> new Iterator<>() {
+
+				private final Iterator<Iterator<KeyAgentIdentity>> keyIter = List
+						.of(pkcs11Keys.iterator(), fromAgent.iterator())
+						.iterator();
+
+				private Iterator<KeyAgentIdentity> currentKeys;
+
+				private Boolean hasElement;
+
+				@Override
+				public boolean hasNext() {
+					if (hasElement != null) {
+						return hasElement.booleanValue();
+					}
+					while (currentKeys == null || !currentKeys.hasNext()) {
+						if (keyIter.hasNext()) {
+							currentKeys = keyIter.next();
+						} else {
+							currentKeys = null;
+							hasElement = Boolean.FALSE;
+							return false;
+						}
+					}
+					hasElement = Boolean.TRUE;
+					return true;
+				}
+
+				@Override
+				public KeyAgentIdentity next() {
+					if (hasElement == null && !hasNext()
+							|| !hasElement.booleanValue()) {
+						throw new NoSuchElementException();
+					}
+					hasElement = null;
+					KeyAgentIdentity result;
+					try {
+						result = currentKeys.next();
+					} catch (NoSuchElementException e) {
+						result = null;
+					}
+					return result;
+				}
+			};
+		}
+
+		private Iterable<KeyAgentIdentity> getPkcs11Keys() throws IOException {
+			String value = hostConfig.getProperty(PKCS11_PROVIDER);
+			if (StringUtils.isEmptyOrNull(value) || NONE.equals(value)) {
+				return null;
+			}
+			if (value.startsWith("~/") //$NON-NLS-1$
+					|| value.startsWith('~' + File.separator)) {
+				value = new File(FS.DETECTED.userHome(), value.substring(2))
+						.toString();
+			}
+			Path library = Paths.get(value);
+			if (!library.isAbsolute()) {
+				throw new IOException(format(SshdText.get().pkcs11NotAbsolute,
+						hostConfig.getHost(), hostConfig.getHostName(),
+						PKCS11_PROVIDER, value));
+			}
+			if (!Files.isRegularFile(library)) {
+				throw new IOException(format(SshdText.get().pkcs11NonExisting,
+						hostConfig.getHost(), hostConfig.getHostName(),
+						PKCS11_PROVIDER, value));
+			}
+			try {
+				int slotListIndex = OpenSshConfigFile.positive(
+						hostConfig.getProperty(PKCS11_SLOT_LIST_INDEX));
+				Pkcs11Provider provider = Pkcs11Provider.getProvider(library,
+						slotListIndex);
+				if (provider == null) {
+					throw new UnsupportedOperationException();
+				}
+				Iterable<KeyAgentIdentity> pkcs11Identities = provider
+						.getKeys(getSession());
+				if (GenericUtils.isEmpty(pkcs11Identities)) {
+					log.warn(LOG_FORMAT, format(SshdText.get().pkcs11NoKeys,
+							hostConfig.getHost(), hostConfig.getHostName(),
+							PKCS11_PROVIDER, value));
+					return null;
+				}
+				return pkcs11Identities;
+			} catch (UnsupportedOperationException e) {
+				throw new UnsupportedOperationException(format(
+						SshdText.get().pkcs11Unsupported, hostConfig.getHost(),
+						hostConfig.getHostName(), PKCS11_PROVIDER, value), e);
+			} catch (Exception e) {
+				checkCancellation(e);
+				throw new IOException(
+						format(SshdText.get().pkcs11FailedInstantiation,
+								hostConfig.getHost(), hostConfig.getHostName(),
+								PKCS11_PROVIDER, value),
+						e);
+			}
+		}
+
+		private void checkCancellation(Throwable e) {
+			Throwable t = e;
+			while (t != null) {
+				if (t instanceof AuthenticationCanceledException) {
+					throw (AuthenticationCanceledException) t;
+				}
+				t = t.getCause();
+			}
+		}
 	}
 }
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
index 311cf19..6e9bd62 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitSshClient.java
@@ -32,6 +32,7 @@
 import java.util.Map;
 import java.util.NoSuchElementException;
 import java.util.Objects;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import org.apache.sshd.client.SshClient;
@@ -58,6 +59,7 @@
 import org.eclipse.jgit.transport.CredentialsProvider;
 import org.eclipse.jgit.transport.SshConstants;
 import org.eclipse.jgit.transport.sshd.KeyCache;
+import org.eclipse.jgit.transport.sshd.KeyPasswordProvider;
 import org.eclipse.jgit.transport.sshd.ProxyData;
 import org.eclipse.jgit.transport.sshd.ProxyDataFactory;
 import org.eclipse.jgit.util.StringUtils;
@@ -103,6 +105,8 @@ public class JGitSshClient extends SshClient {
 
 	private CredentialsProvider credentialsProvider;
 
+	private Supplier<KeyPasswordProvider> keyPasswordProviderFactory;
+
 	private ProxyDataFactory proxyDatabase;
 
 	@Override
@@ -277,6 +281,8 @@ private JGitClientSession createSession(IoSession ioSession,
 		}
 		int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
 		PASSWORD_PROMPTS.set(session, Integer.valueOf(numberOfPasswordPrompts));
+		session.setAttribute(JGitClientSession.KEY_PASSWORD_PROVIDER_FACTORY,
+				getKeyPasswordProviderFactory());
 		List<Path> identities = hostConfig.getIdentities().stream()
 				.map(s -> {
 					try {
@@ -374,6 +380,26 @@ public CredentialsProvider getCredentialsProvider() {
 	}
 
 	/**
+	 * Sets a supplier for a {@link KeyPasswordProvider} for this client.
+	 *
+	 * @param factory
+	 *            to set
+	 */
+	public void setKeyPasswordProviderFactory(
+			Supplier<KeyPasswordProvider> factory) {
+		keyPasswordProviderFactory = factory;
+	}
+
+	/**
+	 * Retrieves the {@link KeyPasswordProvider} factory of this client.
+	 *
+	 * @return a factory to create {@link KeyPasswordProvider}s
+	 */
+	public Supplier<KeyPasswordProvider> getKeyPasswordProviderFactory() {
+		return keyPasswordProviderFactory;
+	}
+
+	/**
 	 * A {@link SessionFactory} to create our own specialized
 	 * {@link JGitClientSession}s.
 	 */
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
index 39332d9..34c73fc 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/SshdText.java
@@ -90,6 +90,14 @@ public static SshdText get() {
 	/***/ public String knownHostsUserAskCreationPrompt;
 	/***/ public String loginDenied;
 	/***/ public String passwordPrompt;
+	/***/ public String pkcs11Error;
+	/***/ public String pkcs11FailedInstantiation;
+	/***/ public String pkcs11GeneralMessage;
+	/***/ public String pkcs11NoKeys;
+	/***/ public String pkcs11NonExisting;
+	/***/ public String pkcs11NotAbsolute;
+	/***/ public String pkcs11Unsupported;
+	/***/ public String pkcs11Warning;
 	/***/ public String proxyCannotAuthenticate;
 	/***/ public String proxyHttpFailure;
 	/***/ public String proxyHttpInvalidUserName;
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/Pkcs11Provider.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/Pkcs11Provider.java
new file mode 100644
index 0000000..eefa3aa
--- /dev/null
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/Pkcs11Provider.java
@@ -0,0 +1,372 @@
+/*
+ * Copyright (C) 2023 Thomas Wolf <twolf@apache.org> and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Distribution License v. 1.0 which is available at
+ * https://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+package org.eclipse.jgit.internal.transport.sshd.pkcs11;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.Signature;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import javax.security.auth.login.FailedLoginException;
+
+import org.apache.sshd.agent.SshAgent;
+import org.apache.sshd.agent.SshAgentKeyConstraint;
+import org.apache.sshd.client.auth.pubkey.KeyAgentIdentity;
+import org.apache.sshd.common.session.SessionContext;
+import org.apache.sshd.common.signature.BuiltinSignatures;
+import org.eclipse.jgit.annotations.NonNull;
+import org.eclipse.jgit.transport.URIish;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Bridge for using a PKCS11 HSM (Hardware Security Module) for public-key
+ * authentication.
+ */
+public class Pkcs11Provider {
+
+	private static final Logger LOG = LoggerFactory
+			.getLogger(Pkcs11Provider.class);
+
+	/**
+	 * A dummy agent; exists only because
+	 * {@link KeyAgentIdentity#KeyAgentIdentity(SshAgent, PublicKey, String)} requires
+	 * a non-{@code null} {@link SshAgent}.
+	 */
+	private static final SshAgent NULL_AGENT = new SshAgent() {
+
+		@Override
+		public boolean isOpen() {
+			return true;
+		}
+
+		@Override
+		public void close() throws IOException {
+			// Nothing to do
+		}
+
+		@Override
+		public Iterable<? extends Entry<PublicKey, String>> getIdentities()
+				throws IOException {
+			throw new UnsupportedOperationException();
+		}
+
+		@Override
+		public Entry<String, byte[]> sign(SessionContext session, PublicKey key,
+				String algo, byte[] data) throws IOException {
+			throw new UnsupportedOperationException();
+		}
+
+		@Override
+		public void addIdentity(KeyPair key, String comment,
+				SshAgentKeyConstraint... constraints) throws IOException {
+			throw new UnsupportedOperationException();
+		}
+
+		@Override
+		public void removeIdentity(PublicKey key) throws IOException {
+			throw new UnsupportedOperationException();
+		}
+
+		@Override
+		public void removeAllIdentities() throws IOException {
+			throw new UnsupportedOperationException();
+		}
+
+	};
+
+	private static final Map<String, Pkcs11Provider> PROVIDERS = new ConcurrentHashMap<>();
+
+	private static final AtomicInteger COUNT = new AtomicInteger();
+
+	/**
+	 * Creates a new {@link Pkcs11Provider}.
+	 *
+	 * @param library
+	 *            {@link Path} to the library the SunPKCS11 provider shall use
+	 * @param slotListIndex
+	 *            index identifying the token; if &lt; 0, ignored and 0 is used
+	 * @return a new {@link Pkcs11Provider}, or {@code null} if SunPKCS11 is not
+	 *         available
+	 * @throws IOException
+	 *             if the configuration file cannot be created
+	 * @throws java.security.ProviderException
+	 *             if the Java {@link Provider} encounters a problem
+	 * @throws UnsupportedOperationException
+	 *             if PKCS#11 is unsupported
+	 */
+	public static Pkcs11Provider getProvider(@NonNull Path library,
+			int slotListIndex) throws IOException {
+		int slotIndex = slotListIndex < 0 ? 0 : slotListIndex;
+		Path libPath = library.toAbsolutePath();
+		String key = libPath.toString() + '/' + slotIndex;
+		return PROVIDERS.computeIfAbsent(key, sharedLib -> {
+			Provider pkcs11 = Security.getProvider("SunPKCS11"); //$NON-NLS-1$
+			if (pkcs11 == null) {
+				throw new UnsupportedOperationException();
+			}
+			// There must not be any spaces in the name.
+			String name = libPath.getFileName().toString().replaceAll("\\s", //$NON-NLS-1$
+					""); //$NON-NLS-1$
+			name = "JGit-" + slotIndex + '-' + name; //$NON-NLS-1$
+			// SunPKCS11 has a problem with paths containing multiple successive
+			// spaces; it collapses them to a single space.
+			//
+			// However, it also performs property expansion on these paths.
+			// (Seems to be an undocumented feature, though.) A reference like
+			// ${xyz} is replaced by system property "xyz". Use that to work
+			// around the rudimentary config parsing in SunPKCS11.
+			String property = "pkcs11-" + COUNT.incrementAndGet() + '-' + name; //$NON-NLS-1$
+			System.setProperty(property, libPath.toString());
+			// Undocumented feature of the SunPKCS11 provider: if the parameter
+			// to configure() starts with two dashes, it's not a file name but
+			// the configuration directly.
+			String config = "--" //$NON-NLS-1$
+					+ "name = " + name + '\n' //$NON-NLS-1$
+					+ "library = ${" + property + "}\n" //$NON-NLS-1$ //$NON-NLS-2$
+					+ "slotListIndex = " + slotIndex + '\n'; //$NON-NLS-1$
+			if (LOG.isDebugEnabled()) {
+				LOG.debug(
+						"{}: configuring provider with system property {}={} and config:{}{}", //$NON-NLS-1$
+						name, property, libPath, System.lineSeparator(),
+						config);
+			}
+			pkcs11 = pkcs11.configure(config);
+			// Produce an RFC7512 URI. Empty path, module-path must be in
+			// the query.
+			String path = "pkcs11:?module-path=" + libPath; //$NON-NLS-1$
+			if (slotListIndex > 0) {
+				// RFC7512 has nothing for the slot list index; pretend it
+				// was a vendor-specific query attribute.
+				path += "&slot-list-index=" + slotListIndex; //$NON-NLS-1$
+			}
+			SecurityCallback callback = new SecurityCallback(
+					new URIish().setPath(path));
+			return new Pkcs11Provider(pkcs11, callback);
+		});
+	}
+
+	private final Provider provider;
+
+	private final SecurityCallback prompter;
+
+	private final KeyStore.Builder builder;
+
+	private KeyStore keys;
+
+	private Pkcs11Provider(Provider pkcs11, SecurityCallback prompter) {
+		this.provider = pkcs11;
+		this.prompter = prompter;
+		this.builder = KeyStore.Builder.newInstance("PKCS11", provider, //$NON-NLS-1$
+				new KeyStore.CallbackHandlerProtection(prompter));
+	}
+
+	// Implementation note: With SoftHSM Java 11 asks for the PIN when the
+	// KeyStore is loaded, i.e., when the token is accessed. softhsm2-util,
+	// however, can list certificates and public keys without PIN entry, but
+	// needs a PIN to also list private keys. So it appears that different
+	// module libraries or possibly different KeyStore implementations may
+	// prompt either when accessing the token, or only when we try to actually
+	// sign something (i.e., when accessing a private key). It may also depend
+	// on the token itself; some tokens require early log-in.
+	//
+	// Therefore we initialize the prompter in both cases, even if it may be
+	// unused in one or the other operation.
+	//
+	// The price to pay is that sign() has to be synchronized, too, to avoid
+	// that different sessions step on each other's toes in the prompter.
+
+	private synchronized void load(SessionContext session)
+			throws GeneralSecurityException, IOException {
+		if (keys == null) {
+			int numberOfPrompts = prompter.init(session);
+			int attempt = 0;
+			while (attempt < numberOfPrompts) {
+				attempt++;
+				try {
+					if (LOG.isDebugEnabled()) {
+						LOG.debug(
+								"{}: Loading PKCS#11 KeyStore (attempt {})", //$NON-NLS-1$
+								getName(), Integer.toString(attempt));
+					}
+					keys = builder.getKeyStore();
+					prompter.passwordTried(null);
+					return;
+				} catch (GeneralSecurityException e) {
+					if (!prompter.passwordTried(e) || attempt >= numberOfPrompts
+							|| !isWrongPin(e)) {
+						throw e;
+					}
+				}
+			}
+		}
+	}
+
+	synchronized byte[] sign(SessionContext session, String algorithm,
+			String alias, byte[] data)
+			throws GeneralSecurityException, IOException {
+		int numberOfPrompts = prompter.init(session);
+		int attempt = 0;
+		while (attempt < numberOfPrompts) {
+			attempt++;
+			try {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug(
+							"{}: Signing with PKCS#11 key {}, algorithm {} (attempt {})", //$NON-NLS-1$
+							getName(), alias, algorithm,
+							Integer.toString(attempt));
+				}
+				Signature signer = Signature.getInstance(algorithm, provider);
+				PrivateKey privKey = (PrivateKey) keys.getKey(alias, null);
+				signer.initSign(privKey);
+				signer.update(data);
+				byte[] signature = signer.sign();
+				prompter.passwordTried(null);
+				return signature;
+			} catch (GeneralSecurityException e) {
+				if (!prompter.passwordTried(e) || attempt >= numberOfPrompts
+						|| !isWrongPin(e)) {
+					throw e;
+				}
+			}
+		}
+		return null;
+	}
+
+	private boolean isWrongPin(Throwable e) {
+		Throwable t = e;
+		while (t != null) {
+			if (t instanceof FailedLoginException) {
+				return true;
+			}
+			t = t.getCause();
+		}
+		return false;
+	}
+
+	/**
+	 * Retrieves an identifying name of this {@link Pkcs11Provider}.
+	 *
+	 * @return the name
+	 */
+	public String getName() {
+		return provider.getName();
+	}
+
+	/**
+	 * Obtains the identities provided by the PKCS11 library.
+	 *
+	 * @param session
+	 *            in which we to load the identities
+	 * @return all the available identities
+	 * @throws IOException
+	 *             if keys cannot be accessed
+	 * @throws GeneralSecurityException
+	 *             if keys cannot be accessed
+	 */
+	public Iterable<KeyAgentIdentity> getKeys(SessionContext session)
+			throws IOException, GeneralSecurityException {
+		// Get all public keys from the KeyStore.
+		load(session);
+		List<KeyAgentIdentity> result = new ArrayList<>(2);
+		Enumeration<String> aliases = keys.aliases();
+		while (aliases.hasMoreElements()) {
+			String alias = aliases.nextElement();
+			Certificate certificate = keys.getCertificate(alias);
+			if (certificate == null) {
+				continue;
+			}
+			PublicKey pubKey = certificate.getPublicKey();
+			if (pubKey == null) {
+				// This should never happen
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("{}: certificate {} has no public key??", //$NON-NLS-1$
+							getName(), alias);
+				}
+				continue;
+			}
+			if (LOG.isDebugEnabled()) {
+				if (certificate instanceof X509Certificate) {
+					X509Certificate x509 = (X509Certificate) certificate;
+					// OpenSSH does not seem to check certificate validity?
+					String msg;
+					try {
+						x509.checkValidity();
+						msg = "Certificate is valid"; //$NON-NLS-1$
+					} catch (CertificateExpiredException
+							| CertificateNotYetValidException e) {
+						msg = "Certificate is INVALID"; //$NON-NLS-1$
+					}
+					// OpenSSh explicitly also considers private keys not
+					// intended for signing, see
+					// https://bugzilla.mindrot.org/show_bug.cgi?id=1736 .
+					boolean[] usage = x509.getKeyUsage();
+					if (usage != null) {
+						// We have no access to the PKCS#11 flags on the key, so
+						// report the certificate flag, if present.
+						msg += ", signing " //$NON-NLS-1$
+								+ (usage[0] ? "allowed" : "NOT allowed"); //$NON-NLS-1$ //$NON-NLS-2$
+					}
+					LOG.debug(
+							"{}: Loaded X.509 certificate {}, key type {}. {}.", //$NON-NLS-1$
+							getName(), alias, pubKey.getAlgorithm(), msg);
+				} else {
+					LOG.debug("{}: Loaded certificate {}, key type {}.", //$NON-NLS-1$
+							getName(), alias, pubKey.getAlgorithm());
+				}
+			}
+			result.add(new Pkcs11Identity(pubKey, alias));
+		}
+		return result;
+	}
+
+	// We use a KeyAgentIdentity because we want to hide the private key.
+	//
+	// JGit doesn't do Agent forwarding, so there will never be any reason to
+	// add a PKCS11 key/token to an agent.
+	private class Pkcs11Identity extends KeyAgentIdentity {
+
+		Pkcs11Identity(PublicKey key, String alias) {
+			super(NULL_AGENT, key, alias);
+		}
+
+		@Override
+		public Entry<String, byte[]> sign(SessionContext session, String algo,
+				byte[] data) throws Exception {
+			// Find the built-in signature factory for the algorithm
+			BuiltinSignatures factory = BuiltinSignatures.fromFactoryName(algo);
+			// Get its Java signature algorithm name from that
+			String javaSignatureName = factory.create().getAlgorithm();
+			// We cannot use the Signature created by the factory -- we need a
+			// provider-specific Signature instance.
+			return new SimpleImmutableEntry<>(algo,
+					Pkcs11Provider.this.sign(session, javaSignatureName,
+							getComment(), data));
+		}
+	}
+}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/SecurityCallback.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/SecurityCallback.java
new file mode 100644
index 0000000..334a8ca
--- /dev/null
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/pkcs11/SecurityCallback.java
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2023 Thomas Wolf <twolf@apache.org> and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Distribution License v. 1.0 which is available at
+ * https://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+package org.eclipse.jgit.internal.transport.sshd.pkcs11;
+
+import static java.text.MessageFormat.format;
+import static org.apache.sshd.core.CoreModuleProperties.PASSWORD_PROMPTS;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
+import java.util.function.Supplier;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.ChoiceCallback;
+import javax.security.auth.callback.ConfirmationCallback;
+import javax.security.auth.callback.LanguageCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.TextInputCallback;
+import javax.security.auth.callback.TextOutputCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.sshd.common.session.SessionContext;
+import org.eclipse.jgit.internal.transport.sshd.AuthenticationCanceledException;
+import org.eclipse.jgit.internal.transport.sshd.JGitClientSession;
+import org.eclipse.jgit.internal.transport.sshd.SshdText;
+import org.eclipse.jgit.transport.CredentialItem;
+import org.eclipse.jgit.transport.CredentialsProvider;
+import org.eclipse.jgit.transport.URIish;
+import org.eclipse.jgit.transport.sshd.KeyPasswordProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A bridge to the JGit {@link CredentialsProvider}.
+ */
+public class SecurityCallback implements CallbackHandler {
+
+	private static final Logger LOG = LoggerFactory
+			.getLogger(SecurityCallback.class);
+
+	private final URIish uri;
+
+	private KeyPasswordProvider passwordProvider;
+
+	private CredentialsProvider credentialsProvider;
+
+	private int attempts = 0;
+
+	/**
+	 * Creates a new {@link SecurityCallback}.
+	 *
+	 * @param uri
+	 *            {@link URIish} identifying the item the interaction is about
+	 */
+	public SecurityCallback(URIish uri) {
+		this.uri = uri;
+	}
+
+	/**
+	 * Initializes this {@link SecurityCallback} for the given session.
+	 *
+	 * @param session
+	 *            {@link SessionContext} of the keystore access
+	 * @return the number of PIN prompts to try to log-in to the token
+	 */
+	public int init(SessionContext session) {
+		int numberOfAttempts = PASSWORD_PROMPTS.getRequired(session).intValue();
+		Supplier<KeyPasswordProvider> factory = session
+				.getAttribute(JGitClientSession.KEY_PASSWORD_PROVIDER_FACTORY);
+		if (factory == null) {
+			passwordProvider = null;
+		} else {
+			passwordProvider = factory.get();
+			passwordProvider.setAttempts(numberOfAttempts);
+		}
+		attempts = 0;
+		if (session instanceof JGitClientSession) {
+			credentialsProvider = ((JGitClientSession) session)
+					.getCredentialsProvider();
+		} else {
+			credentialsProvider = null;
+		}
+		return numberOfAttempts;
+	}
+
+	/**
+	 * Tells this {@link SecurityCallback} that an attempt to load something
+	 * from the key store has been made.
+	 *
+	 * @param error
+	 *            an {@link Exception} that may have occurred, or {@code null}
+	 *            on success
+	 * @return whether to try once more
+	 * @throws IOException
+	 *             on errors
+	 * @throws GeneralSecurityException
+	 *             on errors
+	 */
+	public boolean passwordTried(Exception error)
+			throws IOException, GeneralSecurityException {
+		if (attempts > 0 && passwordProvider != null) {
+			return passwordProvider.keyLoaded(uri, attempts, error);
+		}
+		return true;
+	}
+
+	@Override
+	public void handle(Callback[] callbacks)
+			throws IOException, UnsupportedCallbackException {
+		if (callbacks.length == 1 && callbacks[0] instanceof PasswordCallback
+				&& passwordProvider != null) {
+			PasswordCallback p = (PasswordCallback) callbacks[0];
+			char[] password = passwordProvider.getPassphrase(uri, attempts++);
+			if (password == null || password.length == 0) {
+				throw new AuthenticationCanceledException();
+			}
+			p.setPassword(password);
+			Arrays.fill(password, '\0');
+		} else {
+			handleGeneral(callbacks);
+		}
+	}
+
+	private void handleGeneral(Callback[] callbacks)
+			throws UnsupportedCallbackException {
+		List<CredentialItem> items = new ArrayList<>();
+		List<Runnable> updaters = new ArrayList<>();
+		for (int i = 0; i < callbacks.length; i++) {
+			Callback c = callbacks[i];
+			if (c instanceof TextOutputCallback) {
+				TextOutputCallback t = (TextOutputCallback) c;
+				String msg = getText(t.getMessageType(), t.getMessage());
+				if (credentialsProvider == null) {
+					LOG.warn("{}", format(SshdText.get().pkcs11GeneralMessage, //$NON-NLS-1$
+							uri, msg));
+				} else {
+					CredentialItem.InformationalMessage item =
+							new CredentialItem.InformationalMessage(msg);
+					items.add(item);
+				}
+			} else if (c instanceof TextInputCallback) {
+				if (credentialsProvider == null) {
+					throw new UnsupportedOperationException(
+							"No CredentialsProvider " + uri); //$NON-NLS-1$
+				}
+				TextInputCallback t = (TextInputCallback) c;
+				CredentialItem.StringType item = new CredentialItem.StringType(
+						t.getPrompt(), false);
+				String defaultValue = t.getDefaultText();
+				if (defaultValue != null) {
+					item.setValue(defaultValue);
+				}
+				items.add(item);
+				updaters.add(() -> t.setText(item.getValue()));
+			} else if (c instanceof PasswordCallback) {
+				if (credentialsProvider == null) {
+					throw new UnsupportedOperationException(
+							"No CredentialsProvider " + uri); //$NON-NLS-1$
+				}
+				// It appears that this is actually the only callback item we
+				// get from the KeyStore when it asks for the PIN.
+				PasswordCallback p = (PasswordCallback) c;
+				CredentialItem.Password item = new CredentialItem.Password(
+						p.getPrompt());
+				items.add(item);
+				updaters.add(() -> {
+					char[] password = item.getValue();
+					if (password == null || password.length == 0) {
+						throw new AuthenticationCanceledException();
+					}
+					p.setPassword(password);
+					item.clear();
+				});
+			} else if (c instanceof ConfirmationCallback) {
+				if (credentialsProvider == null) {
+					throw new UnsupportedOperationException(
+							"No CredentialsProvider " + uri); //$NON-NLS-1$
+				}
+				// JGit has only limited support for this
+				ConfirmationCallback conf = (ConfirmationCallback) c;
+				int options = conf.getOptionType();
+				int defaultOption = conf.getDefaultOption();
+				CredentialItem.YesNoType item = new CredentialItem.YesNoType(
+						getText(conf.getMessageType(), conf.getPrompt()));
+				switch (options) {
+				case ConfirmationCallback.YES_NO_OPTION:
+					if (defaultOption == ConfirmationCallback.YES) {
+						item.setValue(true);
+					}
+					updaters.add(() -> conf.setSelectedIndex(
+							item.getValue() ? ConfirmationCallback.YES
+									: ConfirmationCallback.NO));
+					break;
+				case ConfirmationCallback.OK_CANCEL_OPTION:
+					if (defaultOption == ConfirmationCallback.OK) {
+						item.setValue(true);
+					}
+					updaters.add(() -> conf.setSelectedIndex(
+							item.getValue() ? ConfirmationCallback.OK
+									: ConfirmationCallback.CANCEL));
+					break;
+				default:
+					throw new UnsupportedCallbackException(c);
+				}
+				items.add(item);
+			} else if (c instanceof ChoiceCallback) {
+				// TODO: implement? Information for the prompt, and individual
+				// YesNoItems for the choices? Might be better to hoist JGit
+				// onto the CallbackHandler interface directly, or add support
+				// for choices.
+				throw new UnsupportedCallbackException(c);
+			} else if (c instanceof LanguageCallback) {
+				((LanguageCallback) c).setLocale(Locale.getDefault());
+			} else {
+				throw new UnsupportedCallbackException(c);
+			}
+		}
+		if (!items.isEmpty()) {
+			if (credentialsProvider.get(uri, items)) {
+				updaters.forEach(Runnable::run);
+			} else {
+				throw new AuthenticationCanceledException();
+			}
+		}
+	}
+
+	private String getText(int messageType, String text) {
+		if (messageType == TextOutputCallback.WARNING) {
+			return format(SshdText.get().pkcs11Warning, text);
+		} else if (messageType == TextOutputCallback.ERROR) {
+			return format(SshdText.get().pkcs11Error, text);
+		}
+		return text;
+	}
+}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
index a99847a..35c9be0 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
@@ -210,11 +210,12 @@ public SshdSession getSession(URIish uri,
 						home, sshDir);
 				KeyIdentityProvider defaultKeysProvider = toKeyIdentityProvider(
 						getDefaultKeys(sshDir));
+				Supplier<KeyPasswordProvider> keyPasswordProvider = () -> createKeyPasswordProvider(
+						credentialsProvider);
 				SshClient client = ClientBuilder.builder()
 						.factory(JGitSshClient::new)
 						.filePasswordProvider(createFilePasswordProvider(
-								() -> createKeyPasswordProvider(
-										credentialsProvider)))
+								keyPasswordProvider))
 						.hostConfigEntryResolver(configFile)
 						.serverKeyVerifier(new JGitServerKeyVerifier(
 								getServerKeyDatabase(home, sshDir)))
@@ -236,6 +237,7 @@ public SshdSession getSession(URIish uri,
 				jgitClient.setKeyCache(getKeyCache());
 				jgitClient.setCredentialsProvider(credentialsProvider);
 				jgitClient.setProxyDatabase(proxies);
+				jgitClient.setKeyPasswordProviderFactory(keyPasswordProvider);
 				String defaultAuths = getDefaultPreferredAuthentications();
 				if (defaultAuths != null) {
 					jgitClient.setAttribute(
@@ -386,7 +388,7 @@ protected File getSshConfig(@NonNull File sshDir) {
 	}
 
 	/**
-	 * Obtains a {@link SshConfigStore}, or {@code null} if not SSH config is to
+	 * Obtains a {@link SshConfigStore}, or {@code null} if no SSH config is to
 	 * be used. The default implementation returns {@code null} if
 	 * {@code configFile == null} and otherwise an OpenSSH-compatible store
 	 * reading host entries from the given file.
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/SshConstants.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/SshConstants.java
index be0c296..41dbdca 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/SshConstants.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/SshConstants.java
@@ -125,6 +125,25 @@ private SshConstants() {
 	/** Key in an ssh config file. */
 	public static final String NUMBER_OF_PASSWORD_PROMPTS = "NumberOfPasswordPrompts";
 
+	/**
+	 * Path to a shared library of a PKCS11 key provider, or "none".
+	 * <p>
+	 * If set and not "none", the provider's keys should be used.
+	 * </p>
+	 *
+	 * @since 6.7
+	 */
+	public static final String PKCS11_PROVIDER = "PKCS11Provider";
+
+	/**
+	 * Non-standard JGit addition: specify the PKCS#11 slot list index of the
+	 * token to use. A positive number; defaults to zero; ignored if negative
+	 * (in which case zero is used, too).
+	 *
+	 * @since 6.7
+	 */
+	public static final String PKCS11_SLOT_LIST_INDEX = "PKCS11SlotListIndex";
+
 	/** Key in an ssh config file. */
 	public static final String PORT = "Port";