On Mon, Nov 21, 2016 at 09:05:23AM +0100, Jakub Jelen wrote: > On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote: > > Some HSM's such as Safenet Network HSM do not allow searching for keys > > unauthenticated. To support such devices provide a mechanism for users > > to provide a pin code that is always used to automatically log in to > > the HSM when using PKCS11. > > > > The pin code is read from a file specified by the environment variable > > SSH_PKCS11_PINFILE if it is set. > Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel > again? Wider implemenation would solve also other pains in PKCS#11 waters in > OpenSSH (choosing single key from a card -- alternative to IdentityFile, > using p11kit, ...), though it would need some work to implement in OpenSSH, > but as I can observe, PKCS#11 is not a biggest priority. Though I am having > a look into that. I think PKCS#11 URI support would be an excellent way to do it and being able to choose the key would be a definite improvement. I am not sure how much effort it would take but in principle I think it would be the cleanest way to solve the issues. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
