Hi, Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's available in OpenBSD and the portable version and includes a regress test against softhsm2. https://anongit.mindrot.org/openssh.git/commit/?id=93f02107 (and subsequent) I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and ECCP384 keys. This should be in the OpenSSH 8.0 release. -d
On Mon, 21 Jan 2019, Damien Miller wrote:> Hi, > > Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's > available in OpenBSD and the portable version and includes a regress > test against softhsm2. > > https://anongit.mindrot.org/openssh.git/commit/?id=93f02107 (and subsequent) > > I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and > ECCP384 keys.BTW, here is the script that I used to set up the keys in my Yubikey 4. AFAIK only slot "9a" works for SSH authentication. If you're gullible enough to take advice on how to configure a token from me, then you should also at least first reset the PIN/PUK/management keys from their defaults as described at https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html -d -------------- next part -------------- #!/bin/sh SLOT=9a #ALG=RSA2048 #ALG=ECCP256 ALG=ECCP384 NOW=$(date "+%Y%m%dT%H%M%S") PUBKEY=$HOME/yubikey-$SLOT-$ALG-$NOW.pem SUBJECT="/CN=djm portable y4/" DAYS=3560 set -xe ykman piv generate-key \ -a $ALG \ --pin-policy=ONCE \ --touch-policy=CACHED \ $SLOT $PUBKEY ykman piv generate-certificate -s "$SUBJECT" -d $DAYS $SLOT $PUBKEY
Great to hear, thanks!! What's the ETA for the 8.0 release? Or should I ask the Macports OpenSSH maintainers to pull this patch ahead of the official release? -- Regards, Uri ?On 1/21/2019, 00:37, "openssh-unix-dev on behalf of Damien Miller" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of djm at mindrot.org> wrote: Hi, Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's available in OpenBSD and the portable version and includes a regress test against softhsm2. https://anongit.mindrot.org/openssh.git/commit/?id=93f02107 (and subsequent) I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and ECCP384 keys. This should be in the OpenSSH 8.0 release. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190121/92c8838f/attachment.p7s>