I am using the following setup: OpenSSL is configured to use libtpm: [openssl_def] engines = engine_section [engine_section] foo = tpm_section [tpm_section] dynamic_path = /usr/local/lib/openssl/engines/libtpm.so engine_id = tpm default_algorithms = ALL #default_algorithms = RAND,RSA init = 1 SSH client is configured to use libsimple-tpm-pk11.so: Host m PKCS11Provider /usr/home/saper/sw/simple-tpm-pk11/.libs/libsimple-tpm-pk11.so GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ForwardAgent yes ForwardX11 no User xxx I am using a vanilla /usr/local/etc/tcsd.conf I start ssh-agent from my .xsession file as eval `/usr/bin/ssh-agent -s` therefore it does not die when I kill my X session. I noticed that tcsd blocks system shutdown (gets killed eventually by the watchdog). Quick look at the source code and open sockets reveals, that ssh-agent maintains a persistent connection to tcsd. The easiest way to reproduce the problem with my config is to start a separate shell with ssh-agent /bin/sh and try to stop tcsd in another terminal: sudo service tcsd stop as long as the shell is running tcsd will not stop. It is enough to exit the shell and after a second or two tcsd will shutdown. The shutdown is immediate if ssh-agent is not running. I think tcsd should be able to notice earlier that it is time to close its sockets and go away.