On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
Some HSM's such as Safenet Network HSM do not allow searching for keys
unauthenticated. To support such devices provide a mechanism for users
to provide a pin code that is always used to automatically log in to
the HSM when using PKCS11.
The pin code is read from a file specified by the environment variable
SSH_PKCS11_PINFILE if it is set.
Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel
again? Wider implemenation would solve also other pains in PKCS#11
waters in OpenSSH (choosing single key from a card -- alternative to
IdentityFile, using p11kit, ...), though it would need some work to
implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest
priority. Though I am having a look into that.
[1] https://tools.ietf.org/html/rfc7512
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
