Displaying 20 results from an estimated 27 matches for "pkcs11provid".
Did you mean:
pkcs11provide
2016 Sep 02
4
[Bug 2610] New: ssh should not complain about "no slots" when PKCS11Provider is specified, but no slot is found nor used
https://bugzilla.mindrot.org/show_bug.cgi?id=2610
Bug ID: 2610
Summary: ssh should not complain about "no slots" when
PKCS11Provider is specified, but no slot is found nor
used
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Comp...
2023 Jul 27
3
[Bug 3594] New: PKCS11Provider now requires full paths
https://bugzilla.mindrot.org/show_bug.cgi?id=3594
Bug ID: 3594
Summary: PKCS11Provider now requires full paths
Product: Portable OpenSSH
Version: 9.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.or...
2016 Oct 27
11
[Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
https://bugzilla.mindrot.org/show_bug.cgi?id=2635
Bug ID: 2635
Summary: Unable to use SSH Agent and user level PKCS11Provider
configuration directive
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at m...
2010 Apr 06
3
Using OpenSSH with smart cards HOWTO
On Tue, 2010-04-06 at 15:52 +0300, Lars Nooden wrote:
> You might wish to focus on sftp instead of scp.
Okay, I will have a look.
I had some problems:
1) I would like to store smart card information
-o PKCS11Provider=/usr/lib/opensc-pkcs11.so
in /etc/ssh/ssh-config. Is it possible?
2) ssh-add -s does not seem to work.
Read:
http://www.gooze.eu/howto/using-openssh-scp-with-smart-cards-pkcs11/using-ssh-authentication-agent-ssh-add-with
Can anyone help with these issues.
Kind regards,
Jean-Michel
2016 Dec 28
2
certificates keys on pkcs11 devices
...tificate with ssh-agent when my Key is
stored on a pkcs11 device. I can add my key with
ssh-add -s /usr/local/lib/opensc-pkcs11.so
but
ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub
does not add the certificate to my agent. As far as I undestand, in
ssh-add.c line 580
if (pkcs11provider != NULL) {
if (update_card(agent_fd, !deleting, pkcs11provider) == -1)
ret = 1;
goto done;
}
does not check for additional (certifcate)-files files on the command line
and update_card neither does.
Is there any intention to change this?
Thanks in alot,
Manon
2017 Oct 26
3
[RFC 0/2] add engine based keys
Engine keys are private key files which are only understood by openssl
external engines. ?The problem is they can't be loaded with the usual
openssl methods, they have to be loaded via ENGINE_load_private_key().
?Because they're files, they fit well into openssh pub/private file
structure, so they're not very appropriately handled by the pkcs11
interface because it assumes the private
2011 Apr 07
6
new option ssh-add -v to verify if key is loaded into the agent
Dear openssh developers
In a shell script I need to verify if a key belonging to a given public
key file is already loaded into the agent. To achieve this, I added a
new option -v to ssh-add which does this verification.
The patch bases on openssh v5.8p1. The regression test agent.sh was
extended to test this new feature.
Is there any chance for inclusion of attached patch?
Cheers
Konrad
--
2020 Jan 30
6
[PATCH 1/2] Add support for openssl engine based keys
...ENSSL_ENGINE
+" [-o engine]\n"
+#endif
" [file ...]\n"
" ssh-add -s pkcs11\n"
" ssh-add -e pkcs11\n"
@@ -622,7 +648,7 @@ main(int argc, char **argv)
extern char *optarg;
extern int optind;
int agent_fd;
- char *pkcs11provider = NULL, *skprovider = NULL;
+ char *pkcs11provider = NULL, *skprovider = NULL, *opensslengine = NULL;
int r, i, ch, deleting = 0, ret = 0, key_only = 0, do_download = 0;
int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
@@ -653,7...
2019 Apr 18
0
Announce: OpenSSH 8.0 released
...key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config; bz#2974
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect; bz#2960
* ssh...
2011 Feb 17
1
PKCS11: selecting which key to use
Hello.
Just popping in (not subscribed, please CC) to ask if it's planned to
add "identity selection" when using a PKCS#11 provider.
To be more clear: I have a (working) reader+smartcard, handled by
PKCS11Provider /usr/lib/opensc-pkcs11.so
statement in config file.
Card is "formatted" w/ "pkcs15-init -C", and got a couple PINs, some
mail certs and some keypairs added.
Seems it works as expected *IF* the only (or first) on-card keypair is
the one to be used for SSH. If it's after ot...
2014 Apr 04
3
[Bug 2221] New: Explicit identity files are being used after implicit files are attempted
https://bugzilla.mindrot.org/show_bug.cgi?id=2221
Bug ID: 2221
Summary: Explicit identity files are being used after implicit
files are attempted
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component:
2013 Mar 06
2
[Bug 2075] New: [PATCH] Enable key pair generation on a PCKS#11 device
..., the public identity file is created as
normal, but a new private key format is introduced to signal that the
key needs to be loaded from an external device.
My plan is to augment this pkcs11 private key identity file format to
enable automatic loading of the external key (e.g., without setting
PKCS11Provider or using the -I option), but I wanted to run this by
people first.
--
You are receiving this mail because:
You are watching the assignee of the bug.
2023 Mar 06
1
Feature request: a good way to supply short-lived certificates to openssh
...ently. For example, ssh -O exit [name] refreshes the certificate, and it should not do so.
IdentityAgent could point to a custom agent. This would be more useful if ssh could _start_ the agent. In any case, this requires an agent, which is more complex than a tool that refreshes a certificate.
PKCS11Provider doesn't seem useful.
ProxyCommand could specify a command that refreshes the certificate. Cloudflare recommended this at one point, and it worked about as poorly as might be expected. (That is, very poorly indeed.)
So my feature request: a way to do this for real. Here are a couple of i...
2016 Oct 03
6
[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
...n first key access, thus I would like to use option
AddKeysToAgent available in the config. However it seems this option
doesn't work with PKCS#11 keys. Could it be fixed.
There's one more annoying issue: if PKCS#11 key has been already loaded
into agent it isn't considered if ssh uses PKCS11Provider option is set
and I've got to enter card PIN again:
reddot at docorp:~$ ssh-add -l
2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
reddot at docorp:~$ ssh valo...
2013 Mar 22
4
Announce: OpenSSH 6.2 released
...d keys
and certificates that take as little as one bit per certificate when
revoking by serial number. KRLs may be generated using ssh-keygen(1)
and are loaded into sshd(8) via the existing RevokedKeys sshd_config
option.
* ssh(1): IdentitiesOnly now applies to keys obtained from a
PKCS11Provider. This allows control of which keys are offered from
tokens using IdentityFile.
* sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
and "remote" in addition to its previous "yes"/"no" keywords to allow
the server to specify whet...
2013 Apr 30
3
[Bug 2095] New: ssh client not respecting IdentitiesOnly=yes option
...h agent keys that we should never be
using if option is set (as said in the man page extract below).
Extract from ssh_config man page
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity
files configured in the ssh_config files, even if ssh-agent(1) or
a PKCS11Provider offers more identities. The argument to this
keyword must be ?yes? or ?no?. This option is intended for situ?
ations where ssh-agent offers many different identities. The
default is ?no?.
Hope it helps !
--
You are receiving this mail because:
You are watching the assignee of th...
2013 Mar 22
0
Announce: OpenSSH 6.2 released
...d keys
and certificates that take as little as one bit per certificate when
revoking by serial number. KRLs may be generated using ssh-keygen(1)
and are loaded into sshd(8) via the existing RevokedKeys sshd_config
option.
* ssh(1): IdentitiesOnly now applies to keys obtained from a
PKCS11Provider. This allows control of which keys are offered from
tokens using IdentityFile.
* sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
and "remote" in addition to its previous "yes"/"no" keywords to allow
the server to specify whet...
2011 Jul 17
2
openSSH 5.8p2 BindPort patch
...044096 +0100
@@ -125,7 +125,7 @@ typedef enum {
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
- oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
+ oHostKeyAlgorithms, oBindAddress, oBindPort, oPKCS11Provider,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -210,6 +210,7 @@ static struct {
{ "...
2020 Feb 04
46
[Bug 3117] New: Tracking bug for 8.2 release
https://bugzilla.mindrot.org/show_bug.cgi?id=3117
Bug ID: 3117
Summary: Tracking bug for 8.2 release
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Keywords: meta
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee:
2020 May 27
0
Announce: OpenSSH 8.3 released
...instead of the (slower) portable C implementation included
in OpenSSH.
* ssh-keygen(1): add ability to dump the contents of a binary key
revocation list via "ssh-keygen -lQf /path" bz#3132
Bugfixes
--------
* ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
a PKCS11Provider; bz#3141
* ssh-keygen(1): avoid NULL dereference when trying to convert an
invalid RFC4716 private key.
* scp(1): when performing remote-to-remote copies using "scp -3",
start the second ssh(1) channel with BatchMode=yes enabled to
avoid confusing and non-deterministic orde...