+1 Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Jakub Jelen Sent: Monday, November 21, 2016 03:07 To: Juha-Matti Tapio; openssh-unix-dev@xxxxxxxxxxx Subject: Re: [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11 On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote: > Some HSM's such as Safenet Network HSM do not allow searching for keys > unauthenticated. To support such devices provide a mechanism for users > to provide a pin code that is always used to automatically log in to > the HSM when using PKCS11. > > The pin code is read from a file specified by the environment variable > SSH_PKCS11_PINFILE if it is set. Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel again? Wider implemenation would solve also other pains in PKCS#11 waters in OpenSSH (choosing single key from a card -- alternative to IdentityFile, using p11kit, ...), though it would need some work to implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest priority. Though I am having a look into that. [1] https://tools.ietf.org/html/rfc7512 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
