Hi, Sorry for being slow on these - once I've cleared some of my backlog and done the requisite remedial PCKS#11 education then I'll try to take a look at them. -d On Mon, 26 Feb 2018, Jakub Jelen wrote: > Hello everyone, > > as you could have noticed over the years, there are several bugs for > PKCS#11 improvement and integration which are slipping under the radar > for several releases, but the most painful ones are constantly updated > by community to build, work and make our lives better. > > I wrote some of the patches, provided feedback to others, or offered > other help here on mailing list, but did not get quite much any > feedback, none of the patches (excluding some one-liners) are not > incorporated, but usually not yet even reviewed or considered. > > I believe using PKCS#11 as a store for private keys is a good practice > and making OpenSSH work with it is a must. So again, I offering my help > in this area not limited to the following bugs (according to > complexity and priority): > > Bug 2430 - ssh-keygen should allow to login before reading public key > from smart card > Bug 2652 - PKCS11 login skipped if login required and no pin set > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > private objects > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) > Bug 2472 - Add support to load additional certificates > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device > > Namely, the #2638 one will be a big problem after the release of OpenSC > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. > > Also in the #2817, there is a resurrection of the soft-pkcs11 module in > regress testsuite, which can be later extended to verify also other use > cases. > > [1] https://github.com/OpenSC/OpenSC/pull/1256 > > Thanks, > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev