Re: PKCS#11 URIs in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2017-04-24 at 14:26 +0200, Jakub Jelen wrote:
> Hello all,
> as PKCS#11 URI became standard (RFC 7512), it would be good to be
> able 
> to specify the keys using this notation in openssh.
> 
> So far I implemented the minimal subset of this standard allowing to 
> specify the URI for the ssh tool, in ssh_config and to work with 
> ssh-agent. It does not bring any new dependency, provides unit and 
> regress tests (while fixing agent-pkcs11 regress test).
> 
> The code is on github and ready for comments/reviews (some details
> will 
> need to be adjusted):
> 
> https://github.com/openssh/openssh-portable/compare/master...Jakuje:j
> jelen-pkcs11
> 
> I will fill a bugzilla later. I would be grateful for your ideas, 
> comments or reviews for this feature.
> 
> Other useful parts of RFC, that could be implemented would be a way
> to 
> provide a PIN or a PIN source for the token, other ways of providing 
> module-path (module-name).

The above commit-set was updated with resolved issues reported by other
users and made compatible with OpenSSL 1.1.0 to be able top build on my
current machine.

At this time, it is probably the only way how we can instruct OpenSSH
to use only a specific key from the PKCS#11 module instead of sending
all the keys to the server (most of the government or identity cards
have multiple keys).

Feel free to comment or propose improvements. It also opens a way for
more improvements in the PKCS#11 support, which I am willing to help
too, if there would be interest (ECDSA #2474).

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux