Hi,
Adding additional dependency for PKCS#11 was correctly rejected in the
past.There is no reason to introduce a new dependency to a project, you
should probably align with the current method of PKCS#11 support in openssh.
If you would like to introduce PKCS#11 support via p11kit, a patch of
adding such support to the existing PKCS#11 implementation (aka client) and
after acceptance, extending it to other use cases would probably be cleaner.
I believe it will be a better idea to support ssh-agent key delegation at
server side to allow using external keys as a pattern instead of adding
more code into daemon, I actually would have removed any PK cryptographic
from both ssh and sshd and delegate all to THE/A agent, reducing the
complexity and duplication of code between the main processes (or library)
and the agent, probably running it as a child if not available to maintain
current behavior.
Please also note that recently the PKCS#11 processing was moved to yet
another process to isolate the main processing from the 3rd party PKCS#11
library, so I am unsure that the approach of patching sshd to directly call
3rd party libraries will be accepted.
Regards,
Alon Bar-Lev
On Mon, Sep 23, 2024 at 10:36?AM Maxime Rey <maximejeanrey at gmail.com>
wrote:
> Hello,
>
> OpenSSH supports PKCS#11 on the client side, but that does not extend to
> the server side. I would like to bring PKCS#11 support to sshd.
>
> I am working on embedded Linux systems with integrated HSM. The sshd
> host key is stored on the HSM. To have sshd using that key, we rely on
> the following chain:
>
> sshd -> OpenSSL -> OpenSSL Engine -> HSM Having
>
> PKCS#11 support in sshd, would reduce it to:
>
> sshd -> PKCS#11 Library -> HSM
>
> This patch extends sshd so that HostKeys can also be PKCS#11 URIs, as
> defined by the RFC 7512[1]. Those URIs are parsed using p11-kit[2], that
> is added as an optional dependency to OpenSSH. If that is a
> show-stopper, URIs could also be parsed directly in OpenSSH but that
> would involve lengthy parsing functions. One can then have a
> configuration that looks like:
>
> HostKey /etc/ssh/ssh_host_ecdsa_key
>
> HostKey pkcs11:object=ssh_host_rsa_key?module-path=/usr/lib/my-pkcs11.so
>
> The rest of the patch relies on the existing infrastructure for dealing
> with PKCS#11 that is already used in the client, ssh-agent and so on.
> Follow-up could extend sshd PKCS#11 support to the Diffie-Hellman key
> exchange and random number generation.
> Any feedback is welcomed :)
>
> Thank you for your time and consideration.
>
> Best regards,
> Maxime Rey
>
> [1]: https://www.rfc-editor.org/rfc/rfc7512.html
> [2]: https://p11-glue.github.io/p11-glue/p11-kit.html
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>