Engine keys are private key files which are only understood by openssl external engines. The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private keys are already present in some token (so there's no way to pass in a file name). The candidate I have for this is openssh private keys based in the trusted platform module (either tpm 1.2 or tpm 2.0 ... we have engines for both). This is an example of my tpm2 based private/public ssh-key: jejb@jarvis:~> ssh-add -o tpm2 /home/jejb/.ssh/id_rsa Enter engine key passphrase: jejb@jarvis:~> ssh-add -l 2048 SHA256:ZAv7jrI2bB2VBgk5jHA1g/fe4rVX1GqyCdPwF0ELU9k jejb@mulgrave (RSA) jejb@jarvis:~> cat .ssh/id_rsa -----BEGIN TSS2 KEY BLOB----- MIICAAYFZ4EFCgKgAwEBAKEHAgUAgQAAAaKCARwEggEYARYAAQALAAIEQAAAABAA EAgAAAAAAAEAp0rC+B6BvAl6ySgNggwBSYvkcvBFGIC5bs1/s0NtYkoZ5QnpafHY 7qHvqvvell9lRk58UDyRgGFFzSFvq0/YN4PJoG4ywMWHnOABzoIq/y5RAQgER6OE lrnvS9on9J5epy7tT7nQkCCjO+Oz3849UeFX1m6DFOJuir5GhYD968CZGfemjRyO LLEQ4dxF75Q/74seg2cdE+1BA6Q94nHOmcgNpJsprRgoNfpwFkU1iJrJ8oURUyCb 1cPsS+4kehgaCCTQ/Nkqcz9d2feaMLi5ukBj1qMOV4KdxS4KIfins1O6l2Yde1oe QDUW4AjWSQ3OHwwYVzvqDWZmlPG3NAFvEQSByADGACDZDFvuD6MUiE9vmkRZ2wYt kZVJPBp817eKWmDnkII71QAQ5oxhXbJERo+p5KeQWlf/CCtxK8NRbK/FKAwg0/Uu HoSDBT+gQ8S62pLD+qBDyXO4eFj0moxCX+shqlvo34rig2WF+Y/5NNhZg+2COdXt 45b/MO9jUPsXjCDPUm1f1NaVztK45/Wddk4m2lZ9TCDU7MOK140pcB5Ewricw61b st+nmmUtgIPUxxWc3uMcVATjJP2EWrFnmdRgbKXcVT8olHa+ -----END TSS2 KEY BLOB----- Where openssl_tpm2_engine is available here: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engin e.git/ --- James Bottomley (2): Add support for openssl engine based keys engine: add "any" engine mechanism and make it the default Makefile.in | 4 +- authfd.c | 45 +++++++++++++++ authfd.h | 7 +++ ssh-add.c | 41 +++++++++++-- ssh-agent.c | 82 ++++++++++++++++++++++++++ ssh-engine.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ssh-engine.h | 10 ++++ 7 files changed, 367 insertions(+), 7 deletions(-) create mode 100644 ssh-engine.c create mode 100644 ssh-engine.h _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev