Hi, Adding additional dependency for PKCS#11 was correctly rejected in the past.There is no reason to introduce a new dependency to a project, you should probably align with the current method of PKCS#11 support in openssh. If you would like to introduce PKCS#11 support via p11kit, a patch of adding such support to the existing PKCS#11 implementation (aka client) and after acceptance, extending it to other use cases would probably be cleaner. I believe it will be a better idea to support ssh-agent key delegation at server side to allow using external keys as a pattern instead of adding more code into daemon, I actually would have removed any PK cryptographic from both ssh and sshd and delegate all to THE/A agent, reducing the complexity and duplication of code between the main processes (or library) and the agent, probably running it as a child if not available to maintain current behavior. Please also note that recently the PKCS#11 processing was moved to yet another process to isolate the main processing from the 3rd party PKCS#11 library, so I am unsure that the approach of patching sshd to directly call 3rd party libraries will be accepted. Regards, Alon Bar-Lev On Mon, Sep 23, 2024 at 10:36 AM Maxime Rey <maximejeanrey@xxxxxxxxx> wrote: > Hello, > > OpenSSH supports PKCS#11 on the client side, but that does not extend to > the server side. I would like to bring PKCS#11 support to sshd. > > I am working on embedded Linux systems with integrated HSM. The sshd > host key is stored on the HSM. To have sshd using that key, we rely on > the following chain: > > sshd -> OpenSSL -> OpenSSL Engine -> HSM Having > > PKCS#11 support in sshd, would reduce it to: > > sshd -> PKCS#11 Library -> HSM > > This patch extends sshd so that HostKeys can also be PKCS#11 URIs, as > defined by the RFC 7512[1]. Those URIs are parsed using p11-kit[2], that > is added as an optional dependency to OpenSSH. If that is a > show-stopper, URIs could also be parsed directly in OpenSSH but that > would involve lengthy parsing functions. One can then have a > configuration that looks like: > > HostKey /etc/ssh/ssh_host_ecdsa_key > > HostKey pkcs11:object=ssh_host_rsa_key?module-path=/usr/lib/my-pkcs11.so > > The rest of the patch relies on the existing infrastructure for dealing > with PKCS#11 that is already used in the client, ssh-agent and so on. > Follow-up could extend sshd PKCS#11 support to the Diffie-Hellman key > exchange and random number generation. > Any feedback is welcomed :) > > Thank you for your time and consideration. > > Best regards, > Maxime Rey > > [1]: https://www.rfc-editor.org/rfc/rfc7512.html > [2]: https://p11-glue.github.io/p11-glue/p11-kit.html > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
