Hello, OpenSSH supports PKCS#11 on the client side, but that does not extend to the server side. I would like to bring PKCS#11 support to sshd. I am working on embedded Linux systems with integrated HSM. The sshd host key is stored on the HSM. To have sshd using that key, we rely on the following chain: sshd -> OpenSSL -> OpenSSL Engine -> HSM Having PKCS#11 support in sshd, would reduce it to: sshd -> PKCS#11 Library -> HSM This patch extends sshd so that HostKeys can also be PKCS#11 URIs, as defined by the RFC 7512[1]. Those URIs are parsed using p11-kit[2], that is added as an optional dependency to OpenSSH. If that is a show-stopper, URIs could also be parsed directly in OpenSSH but that would involve lengthy parsing functions. One can then have a configuration that looks like: HostKey /etc/ssh/ssh_host_ecdsa_key HostKey pkcs11:object=ssh_host_rsa_key?module-path=/usr/lib/my-pkcs11.so The rest of the patch relies on the existing infrastructure for dealing with PKCS#11 that is already used in the client, ssh-agent and so on. Follow-up could extend sshd PKCS#11 support to the Diffie-Hellman key exchange and random number generation. Any feedback is welcomed :) Thank you for your time and consideration. Best regards, Maxime Rey [1]: https://www.rfc-editor.org/rfc/rfc7512.html [2]: https://p11-glue.github.io/p11-glue/p11-kit.html
