Re: PKCS#11 ECDSA support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 21 Jan 2019, Damien Miller wrote:

> Hi,
> 
> Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's
> available in OpenBSD and the portable version and includes a regress
> test against softhsm2.
> 
> https://anongit.mindrot.org/openssh.git/commit/?id=93f02107 (and subsequent)
> 
> I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and
> ECCP384 keys.

BTW, here is the script that I used to set up the keys in my Yubikey 4.
AFAIK only slot "9a" works for SSH authentication.

If you're gullible enough to take advice on how to configure a token
from me, then you should also at least first reset the PIN/PUK/management
keys from their defaults as described at
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

-d
#!/bin/sh

SLOT=9a

#ALG=RSA2048
#ALG=ECCP256
ALG=ECCP384

NOW=$(date "+%Y%m%dT%H%M%S")
PUBKEY=$HOME/yubikey-$SLOT-$ALG-$NOW.pem
SUBJECT="/CN=djm portable y4/"
DAYS=3560

set -xe

ykman piv generate-key \
	-a $ALG \
	--pin-policy=ONCE \
	--touch-policy=CACHED \
	$SLOT $PUBKEY
ykman piv generate-certificate -s "$SUBJECT" -d $DAYS $SLOT $PUBKEY

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux