Tone aside, let me second what Bob said. OpenSSH maintainers seem to be able to find time for many updates and upgrades - but ECC support over PKCS#11 appears to repulse them for more than two years (I don't care to check for exactly how many more). Since several patches have been posted, so it's not like a new feature has to be implemented from scratch - I'm at loss trying to understand what's going on. An explanation would be nice. Merging one of the patches would be even nicer. Regards, Uri Sent from my iPhone > On Aug 12, 2018, at 17:30, Bob Smith <b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@xxxxxxxxxxxxx> wrote: > > Hi, > > I was trying to get OpenSSH portable working with my Yubikey. A key was present on the token but generated using the ECCP384 algorithm. > > This lead to many obscure goose-chase red-herring error messages from OpenSSH such as the delightful "Could not add card : agent refused operation" or other nonsense that was meaningless and unhelpful. > > Many hours later in Mr Google's company, I eventually found this website https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/ , which points to this https://bugzilla.mindrot.org/show_bug.cgi?id=2474 . Which basically says that despite many patches, support for ECC has never been incorporated into OpenSSH PKCS#11. > > And indeed this was the underlying cause. I deleted the ECC key, generated an RSA one, and it worked. > > So, I have two questions: > > (1) Why has this ECC thing been ongoing since 2015 and yet, despite the passage of weeks, months and years, nobody has yet pulled any of the patches into the OpenSSH codebase ? > > (2) If you don't want ECC in the codebase, which appears to clearly be the case, can you at least generate some more sensible error messages that say "look, we only accept RSA keys, ok chum ?". That would save people like me many hours of wasted time caused by your political or other reasons for being stubborn and not including ECC support. > > Sorry for the tone of this message, but I've had a rather frustrating waste of a day due the issues outlined. > > Bob > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev