search for: pkcs11

how could i install pkcs11 on 64 cent os 5.4 :S it always asking me for pkcs11-helper but i've already installing [root at vpn VpnSetup]# rpmbuild -tb openvpn-2.1.1.tar.gz hata: Failed build dependencies: pkcs11-helper-devel is needed by openvpn-2.1.1-1.x86_64 [root at vpn VpnSetup]# rpm -ivh pkcs11-helper-d...

...1 v2.20 support for the Crypto Framework 6287425 residual bzero''s in hmac part of sha2 6287428 add sha2 to the i.kcfconfbase upgrade script Files: create: usr/src/common/crypto/blowfish/blowfish_cbc_crypt.c create: usr/src/common/crypto/blowfish/blowfish_cbc_crypt.h create: usr/src/lib/pkcs11/pkcs11_softtoken/common/softBlowfishCrypt.c update: usr/src/cmd/cmd-crypto/digest/digest.c update: usr/src/common/crypto/blowfish/Makefile update: usr/src/common/crypto/blowfish/blowfish_impl.c update: usr/src/common/crypto/rsa/rsa_impl.c update: usr/src/common/crypto/rsa/rsa_impl.h update: u...

https://bugzilla.mindrot.org/show_bug.cgi?id=3561 Bug ID: 3561 Summary: Open SSH does not support 1-byte structure packing on non-windows systems for PKCS11 Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: do...

https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Bug ID: 2635 Summary: Unable to use SSH Agent and user level PKCS11Provider configuration directive Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bug...

I find this approach very bad in general.? PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it.? Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Juha-Matti Tapio Sent: Wednesday, November 16, 2016 04:35 To: openssh-unix-dev at mindrot.org Subject: [...

...or prompting card insert... Don't be confused, it only expects ok or cancel, attached is a simple scripts that uses KDE and .NET in order to display these dialogs. You can view full usage by: $ ssh-agent /bin/sh $ ssh-add -h A common scenario is the following: $ ssh-agent /bin/sh $ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh` $ ssh-add --pkcs11-add-provider --pkcs11-provider /usr/lib/pkcs11/MyProvider.so $ ssh-add --pkcs11-add-id --pkcs11-slot-type label --pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id "/C=XX/CN=YY" $ ssh myhost In order to see avai...

Some HSM's such as Safenet Network HSM do not allow searching for keys unauthenticated. To support such devices provide a mechanism for users to provide a pin code that is always used to automatically log in to the HSM when using PKCS11. The pin code is read from a file specified by the environment variable SSH_PKCS11_PINFILE if it is set. Tested against Safenet Network HSM. --- ssh-pkcs11.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index aaf712d..f75b20...

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerbero...

...an SSH key. 2. Add that key to ssh-agent. 3. Remove that key from ssh-agent. 4. Add that key to ssh-agent. Expected results: Key is successfully added to ssh-agent. Actual results: ssh-add fails with "agent refused operation". I've looked at the code, and it appears that register_pkcs11_provider (https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L1470) fails if a PKCS#11 provider already exists. However, PKCS#11 providers are never unloaded. There is a pkcs11_del_provider but it is never called. That means that after deleting a key, there is no way to re-add it...

On 12/30/2016 02:40 AM, Damien Miller wrote: > On Wed, 28 Dec 2016, Iain Morgan wrote: > >> Hello, >> >> On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not >> very useful. On such systems, /usr/lib64/* would need to be added to the >> pattern list. Although users can specify the -P option every time they >> launch ssh-agent, it might be nice to provide a means to specify a >> default whitelist at build-time. &g...

CentOS 7, In firefox -> privacy & security -> certificates -> security devices i am trying to load the pkcs11 modules, but get the error unable to load. I am following the directions at https://piv.idmanagement.gov/engineering/firefox/ I have installed opensc and openssl-pkcs11, which contains /usr/lib64/openssl/engines/pkcs11.so and am using that is the module Has anybody here done that, and can offer...

Dear friends, First, thanks for helping me on ssh default option for smartcards. I recompiled SSH from CVS and it seems to work. I still have problems with: ssh-add -s /usr/lib/opensc-pkcs11.so Enter passphrase for PKCS#11: (I enter PIN code) SSH_AGENT_FAILURE Could not add card: /usr/lib/opensc-pkcs11.so pkcs11-tool --slot 1 -O Public Key Object; RSA 2048 bits label: Public Key ID: 7645d913d5***********54816ff02324c23a7ebf4 Usage: none Certificate Object, typ...

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee: unassigned-bu...

...at redhat.com Created attachment 3111 --> https://bugzilla.mindrot.org/attachment.cgi?id=3111&action=edit PKCS#11 URI (RFC7512) support There is a series of patches adding a support for PKCS#11 URIs [1] with testsuite and improving the existing tests to be actually run against a software pkcs11 module. What is currently done: * Print PKCS#11 URIs from ssh-keygen * Accept PKCS#11 URIs in -i argument to ssh * Allow PKCS#11 URI specification in ssh_config * Fallback to p11-kit-proxy * PKCS#11 URI support for ssh-add and ssh-agent * internal representation is PKCS#11 URI Currently re...

Hello, The version 0.11 of "PKCS#11 support in OpenSSH" is published. Changes: 1. Updated against OpenSSH 4.3p2. 2. Modified against Roumen Petrov's X.509 patch (version 5.4), so self-signed certificates are treated by the X.509 patch now. 3. Added --pkcs11-x509-force-ssh if X.509 patch applied, until some issues with the X.509 patch are resolved. 4. Fixed issues with gcc-2. You can grab the new version from http://alon.barlev.googlepages.com/openssh-pkcs11. I will be glad to receive any feedback regarding this patch, so I will be able to adjust it...

On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > Lack of time on the Open Source projects is understandable, and not uncommon. > > However, PKCS11 has been in the codebase practically forever - the ECC > patches that I saw did not alter the API or such. It is especially > non-invasive when digital signature is concerned. > > Considering how long those patches have been sitting in the queue, and > the continued interest among th...

Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.5p1. Most of PKCS#11 code is now moved to a standalone library which I call pkcs11-helper, this library is used by all projects that I added PKCS#11 support into. The library can be downloaded from: http://www.opensc-project.org/pkcs11-helper As a result the...

On Tue, 2010-04-06 at 15:52 +0300, Lars Nooden wrote: > You might wish to focus on sftp instead of scp. Okay, I will have a look. I had some problems: 1) I would like to store smart card information -o PKCS11Provider=/usr/lib/opensc-pkcs11.so in /etc/ssh/ssh-config. Is it possible? 2) ssh-add -s does not seem to work. Read: http://www.gooze.eu/howto/using-openssh-scp-with-smart-cards-pkcs11/using-ssh-authentication-agent-ssh-add-with Can anyone help with these issues. Kind regards, Jean-Michel

...Current implementation uses the askpin program also for promoting card insert... Don't be confused, it only expects ok or cancel. If we continue in merge I will also allow select a different program for card prompt. A common scenario is the following: $ ssh-agent xterm -> $ ssh-add --pkcs11-ask-pin `which x11-ssh-askpass` $ ssh-add --pkcs11-add-provider --pkcs11-provider /usr/lib/pkcs11/MyProvider.so $ ssh-add --pkcs11-add-id --pkcs11-slot-type label --pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id "/C=XX/CN=YY" $ ssh myhost In order to see...

...ng used this phase > is performed on local machine, once TGT is available, the remaining of > the interaction is kerberos only. > > Regards, > Alon > > On Wed, Dec 19, 2018 at 1:10 AM mailto428496 <mailto628496 at cox.net> wrote: >> I know OpenSSH currently supports PKCS11 devices (such as smartcards) >> for publickey authentication, but I would love to see PKCS11 extended >> further. It is currently possible to perform PKCS11 certificate >> authentication, via pam_krb5.so (on Linux at least and likely something >> similar on other *NIX) whic...