Hello everyone, as you could have noticed over the years, there are several bugs for PKCS#11 improvement and integration which are slipping under the radar for several releases, but the most painful ones are constantly updated by community to build, work and make our lives better. I wrote some of the patches, provided feedback to others, or offered other help here on mailing list, but did not get quite much any feedback, none of the patches (excluding some one-liners) are not incorporated, but usually not yet even reviewed or considered. I believe using PKCS#11 as a store for private keys is a good practice and making OpenSSH work with it is a must. So again, I offering my help in this area not limited to the following bugs (according to complexity and priority): Bug 2430 - ssh-keygen should allow to login before reading public key from smart card Bug 2652 - PKCS11 login skipped if login required and no pin set Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) Bug 2472 - Add support to load additional certificates Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device Namely, the #2638 one will be a big problem after the release of OpenSC 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. Also in the #2817, there is a resurrection of the soft-pkcs11 module in regress testsuite, which can be later extended to verify also other use cases. [1] https://github.com/OpenSC/OpenSC/pull/1256 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev