Once engine keys are supported, adding PKCS#11 URI support becomes easy because the libp11 engine already supports them. For openssh, all that has to happen is that openssh must not assume the URI passed in to ssh-add is a file which can be opened. When the transition to openssl providers is done, PKCS#11 will have its own separate provider, but the URI will be the same, so this entire scheme will survive the transition even though the underlying implementation will change slightly. This is how it works: I've got two tokens set up in p11-kit, which is the PKCS#11 provider on linux. I can see this by using the gnutls p11tool, which is already p11-kit integrated: > p11tool --list-token-urls pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust pkcs11:model=single-key;manufacturer=jejb-rsa-token;serial=14da9bd1140939b7;token=id_rsa_new pkcs11:model=single-key;manufacturer=jejb-ec-token;serial=23f4c12d1c02c943;token=id_ecdsa My tokens are single key tokens, but for multiple key tokens, I'd have to specify the key by id or object inside the token, but since I don't I can do: > ssh-add 'pkcs11:token=id_rsa_new' Enter engine key passphrase: Engine Identity added: pkcs11:token=id_rsa_new Using the shortest URI that uniquely identifies the key (I've named my tokens to be unique, if you don't you often get a generic token name and you'd have to use other distinguishing data like the serial). Now ssh-add shows this token added to the agent by URI: > ssh-add -l 2048 SHA256:6q8CFWO4m3Ky99h+Mp9b6KEBTdobxUZQGzd0Sgxilpg pkcs11:token=id_rsa_new (RSA) This makes quite a neat way of handling tokens on a modern Linux system without the user having to worry about provider shared objects. --- James Bottomley (1): Support PKCS#11 URI keys vi libp11 ssh-add.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) -- 2.26.2 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
