Hello all, as PKCS#11 URI became standard (RFC 7512), it would be good to be able to specify the keys using this notation in openssh. So far I implemented the minimal subset of this standard allowing to specify the URI for the ssh tool, in ssh_config and to work with ssh-agent. It does not bring any new dependency, provides unit and regress tests (while fixing agent-pkcs11 regress test). The code is on github and ready for comments/reviews (some details will need to be adjusted): https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 I will fill a bugzilla later. I would be grateful for your ideas, comments or reviews for this feature. Other useful parts of RFC, that could be implemented would be a way to provide a PIN or a PIN source for the token, other ways of providing module-path (module-name). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
PKCS11 URI support is a very good thing to add. I?d like the PRs separated ? e.g., one for PKCS11 URI, and one for ALWAYS_AUTHENTICATE. ? Regards, Uri On 4/24/17, 8:26 AM, "openssh-unix-dev on behalf of Jakub Jelen" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jjelen at redhat.com> wrote: Hello all, as PKCS#11 URI became standard (RFC 7512), it would be good to be able to specify the keys using this notation in openssh. So far I implemented the minimal subset of this standard allowing to specify the URI for the ssh tool, in ssh_config and to work with ssh-agent. It does not bring any new dependency, provides unit and regress tests (while fixing agent-pkcs11 regress test). The code is on github and ready for comments/reviews (some details will need to be adjusted): https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 I will fill a bugzilla later. I would be grateful for your ideas, comments or reviews for this feature. Other useful parts of RFC, that could be implemented would be a way to provide a PIN or a PIN source for the token, other ways of providing module-path (module-name). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5211 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170424/ee8bf94d/attachment.bin>
On 04/24/2017 07:37 PM, Blumenthal, Uri - 0553 - MITLL wrote:> PKCS11 URI support is a very good thing to add. > > I?d like the PRs separated ? e.g., one for PKCS11 URI, and one for ALWAYS_AUTHENTICATE.Yes, the ALWAYS_AUTHENTICATE check is a separate feature already filled as a bugzilla 2638: https://bugzilla.mindrot.org/show_bug.cgi?id=2638 It is just in the same branch (with relation to PKCS#11 improvements) and one does not depend on the other. Jakub
On 04/24/2017 02:26 PM, Jakub Jelen wrote:> Hello all, > as PKCS#11 URI became standard (RFC 7512), it would be good to be able > to specify the keys using this notation in openssh. > > So far I implemented the minimal subset of this standard allowing to > specify the URI for the ssh tool, in ssh_config and to work with > ssh-agent. It does not bring any new dependency, provides unit and > regress tests (while fixing agent-pkcs11 regress test). > > The code is on github and ready for comments/reviews (some details will > need to be adjusted): > > https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 > > > I will fill a bugzilla later. I would be grateful for your ideas, > comments or reviews for this feature. > > Other useful parts of RFC, that could be implemented would be a way to > provide a PIN or a PIN source for the token, other ways of providing > module-path (module-name). > > Regards,Hello all, I fixed one issue and added a configure option to pick up default p11-kit-proxy path from pkg-config instead of hardcoded value. https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 Did anyone had a time to review this change? Are you interested in this feature? Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On Mon, 2017-04-24 at 14:26 +0200, Jakub Jelen wrote:> Hello all, > as PKCS#11 URI became standard (RFC 7512), it would be good to be > able > to specify the keys using this notation in openssh. > > So far I implemented the minimal subset of this standard allowing to > specify the URI for the ssh tool, in ssh_config and to work with > ssh-agent. It does not bring any new dependency, provides unit and > regress tests (while fixing agent-pkcs11 regress test). > > The code is on github and ready for comments/reviews (some details > will > need to be adjusted): > > https://github.com/openssh/openssh-portable/compare/master...Jakuje:j > jelen-pkcs11 > > I will fill a bugzilla later. I would be grateful for your ideas, > comments or reviews for this feature. > > Other useful parts of RFC, that could be implemented would be a way > to > provide a PIN or a PIN source for the token, other ways of providing > module-path (module-name).The above commit-set was updated with resolved issues reported by other users and made compatible with OpenSSL 1.1.0 to be able top build on my current machine. At this time, it is probably the only way how we can instruct OpenSSH to use only a specific key from the PKCS#11 module instead of sending all the keys to the server (most of the government or identity cards have multiple keys). Feel free to comment or propose improvements. It also opens a way for more improvements in the PKCS#11 support, which I am willing to help too, if there would be interest (ECDSA #2474). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
On Mon, 2017-04-24 at 14:26 +0200, Jakub Jelen wrote:> Hello all, > as PKCS#11 URI became standard (RFC 7512), it would be good to be > able > to specify the keys using this notation in openssh. > > So far I implemented the minimal subset of this standard allowing to > specify the URI for the ssh tool, in ssh_config and to work with > ssh-agent. It does not bring any new dependency, provides unit and > regress tests (while fixing agent-pkcs11 regress test). > > The code is on github and ready for comments/reviews (some details > will > need to be adjusted): > > https://github.com/openssh/openssh-portable/compare/master...Jakuje:j > jelen-pkcs11 > > I will fill a bugzilla later. I would be grateful for your ideas, > comments or reviews for this feature. > > Other useful parts of RFC, that could be implemented would be a way > to > provide a PIN or a PIN source for the token, other ways of providing > module-path (module-name).The commit-set was updated with resolved issues reported by other users and made compatible with OpenSSL 1.1.0 to be able top build on my current machine. At this time, it is probably the only way how we can instruct OpenSSH to use only a specific key from the PKCS#11 module instead of sending all the keys to the server. Feel free to comment or propose improvements. It also opens a way for more improvements in the PKCS#11 support, which I am willing to help too, if there would be interest (ECDSA #2474). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Reasonably Related Threads
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Bug 2638] New: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Outstanding PKCS#11 issues
- [Bug 2652] New: PKCS11 login skipped if login required and no pin set