Thanks for this tip. I know this is probably not particularly on-topic for this thread, but in case someone else (like me) finds this thread from a google search, looking for a way to get ssh-add -s /path/to/opensc-pkcs11.so working with a Yubikey on NixOS, here’s the full description of what I needed to get it to work.
In /etc/nixos/configuration.nix, I needed:
# I couldn't get this to work with gnupg's ssh-agent emulation, so I'm
# using OpenSSH's ssh-agent instead.
programs.gnupg.agent.enableSSHSupport = false; # (this is the default)
programs.ssh.startAgent = true;
# New versions of OpenSSH seem to default to disallowing all `ssh-add -s`
# calls when no whitelist is provided, so this becomes necessary.
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
# OpenSC can't read the Yubikey without this running.
services.pcscd.enable = true;
# This is to get a stable path for the whitelisted opensc-pkcs11.so file.
environment.systemPackages = [ ... pkgs.opensc ... ];
And then to load my key into the SSH agent, I run the following (or rather put it in a script in my path):
$ ssh-add -e /run/current-system/sw/lib/opensc-pkcs11.so
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so