On Mon, 2017-04-24 at 14:26 +0200, Jakub Jelen wrote: > Hello all, > as PKCS#11 URI became standard (RFC 7512), it would be good to be > able > to specify the keys using this notation in openssh. > > So far I implemented the minimal subset of this standard allowing to > specify the URI for the ssh tool, in ssh_config and to work with > ssh-agent. It does not bring any new dependency, provides unit and > regress tests (while fixing agent-pkcs11 regress test). > > The code is on github and ready for comments/reviews (some details > will > need to be adjusted): > > https://github.com/openssh/openssh-portable/compare/master...Jakuje:j > jelen-pkcs11 > > I will fill a bugzilla later. I would be grateful for your ideas, > comments or reviews for this feature. > > Other useful parts of RFC, that could be implemented would be a way > to > provide a PIN or a PIN source for the token, other ways of providing > module-path (module-name). The above commit-set was updated with resolved issues reported by other users and made compatible with OpenSSL 1.1.0 to be able top build on my current machine. At this time, it is probably the only way how we can instruct OpenSSH to use only a specific key from the PKCS#11 module instead of sending all the keys to the server (most of the government or identity cards have multiple keys). Feel free to comment or propose improvements. It also opens a way for more improvements in the PKCS#11 support, which I am willing to help too, if there would be interest (ECDSA #2474). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev