On Tue, 2018-02-27 at 13:33 +1100, Damien Miller wrote: > Hi, > > Sorry for being slow on these - once I've cleared some of my backlog > and done the requisite remedial PCKS#11 education then I'll try to > take > a look at them. Thank you for the answer. Please, let me know if there will be some clarification, more help, reviews or testing needed. Jakub > > -d > > On Mon, 26 Feb 2018, Jakub Jelen wrote: > > > Hello everyone, > > > > as you could have noticed over the years, there are several bugs > > for > > PKCS#11 improvement and integration which are slipping under the > > radar > > for several releases, but the most painful ones are constantly > > updated > > by community to build, work and make our lives better. > > > > I wrote some of the patches, provided feedback to others, or > > offered > > other help here on mailing list, but did not get quite much any > > feedback, none of the patches (excluding some one-liners) are not > > incorporated, but usually not yet even reviewed or considered. > > > > I believe using PKCS#11 as a store for private keys is a good > > practice > > and making OpenSSH work with it is a must. So again, I offering my > > help > > in this area not limited to the following bugs (according to > > complexity and priority): > > > > Bug 2430 - ssh-keygen should allow to login before reading public > > key > > from smart card > > Bug 2652 - PKCS11 login skipped if login required and no pin set > > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > > private objects > > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent > > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) > > Bug 2472 - Add support to load additional certificates > > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device > > > > Namely, the #2638 one will be a big problem after the release of > > OpenSC > > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is > > using. > > > > Also in the #2817, there is a resurrection of the soft-pkcs11 > > module in > > regress testsuite, which can be later extended to verify also other > > use > > cases. > > > > [1] https://github.com/OpenSC/OpenSC/pull/1256 > > > > Thanks, > > -- > > Jakub Jelen > > Software Engineer > > Security Technologies > > Red Hat, Inc. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev