Blumenthal, Uri - 0553 - MITLL
2016-Nov-21 14:05 UTC
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
+1 Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Jakub Jelen Sent: Monday, November 21, 2016 03:07 To: Juha-Matti Tapio; openssh-unix-dev at mindrot.org Subject: Re: [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11 On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:> Some HSM's such as Safenet Network HSM do not allow searching for keys > unauthenticated. To support such devices provide a mechanism for users > to provide a pin code that is always used to automatically log in to > the HSM when using PKCS11. > > The pin code is read from a file specified by the environment variable > SSH_PKCS11_PINFILE if it is set.Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel again? Wider implemenation would solve also other pains in PKCS#11 waters in OpenSSH (choosing single key from a card -- alternative to IdentityFile, using p11kit, ...), though it would need some work to implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest priority. Though I am having a look into that. [1] https://tools.ietf.org/html/rfc7512 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161121/d2778133/attachment.bin>