search for: pkcs11provider

https://bugzilla.mindrot.org/show_bug.cgi?id=2610 Bug ID: 2610 Summary: ssh should not complain about "no slots" when PKCS11Provider is specified, but no slot is found nor used Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Compon...

https://bugzilla.mindrot.org/show_bug.cgi?id=3594 Bug ID: 3594 Summary: PKCS11Provider now requires full paths Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Bug ID: 2635 Summary: Unable to use SSH Agent and user level PKCS11Provider configuration directive Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at min...

On Tue, 2010-04-06 at 15:52 +0300, Lars Nooden wrote: > You might wish to focus on sftp instead of scp. Okay, I will have a look. I had some problems: 1) I would like to store smart card information -o PKCS11Provider=/usr/lib/opensc-pkcs11.so in /etc/ssh/ssh-config. Is it possible? 2) ssh-add -s does not seem to work. Read: http://www.gooze.eu/howto/using-openssh-scp-with-smart-cards-pkcs11/using-ssh-authentication-agent-ssh-add-with Can anyone help with these issues. Kind regards, Jean-Michel

...tificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd, !deleting, pkcs11provider) == -1) ret = 1; goto done; } does not check for additional (certifcate)-files files on the command line and update_card neither does. Is there any intention to change this? Thanks in alot, Manon

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

Dear openssh developers In a shell script I need to verify if a key belonging to a given public key file is already loaded into the agent. To achieve this, I added a new option -v to ssh-add which does this verification. The patch bases on openssh v5.8p1. The regression test agent.sh was extended to test this new feature. Is there any chance for inclusion of attached patch? Cheers Konrad --

...ENSSL_ENGINE +" [-o engine]\n" +#endif " [file ...]\n" " ssh-add -s pkcs11\n" " ssh-add -e pkcs11\n" @@ -622,7 +648,7 @@ main(int argc, char **argv) extern char *optarg; extern int optind; int agent_fd; - char *pkcs11provider = NULL, *skprovider = NULL; + char *pkcs11provider = NULL, *skprovider = NULL, *opensslengine = NULL; int r, i, ch, deleting = 0, ret = 0, key_only = 0, do_download = 0; int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; @@ -653,7 +6...

...key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1...

Hello. Just popping in (not subscribed, please CC) to ask if it's planned to add "identity selection" when using a PKCS#11 provider. To be more clear: I have a (working) reader+smartcard, handled by PKCS11Provider /usr/lib/opensc-pkcs11.so statement in config file. Card is "formatted" w/ "pkcs15-init -C", and got a couple PINs, some mail certs and some keypairs added. Seems it works as expected *IF* the only (or first) on-card keypair is the one to be used for SSH. If it's after othe...

https://bugzilla.mindrot.org/show_bug.cgi?id=2221 Bug ID: 2221 Summary: Explicit identity files are being used after implicit files are attempted Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component:

..., the public identity file is created as normal, but a new private key format is introduced to signal that the key needs to be loaded from an external device. My plan is to augment this pkcs11 private key identity file format to enable automatic loading of the external key (e.g., without setting PKCS11Provider or using the -I option), but I wanted to run this by people first. -- You are receiving this mail because: You are watching the assignee of the bug.

...ently. For example, ssh -O exit [name] refreshes the certificate, and it should not do so. IdentityAgent could point to a custom agent. This would be more useful if ssh could _start_ the agent. In any case, this requires an agent, which is more complex than a tool that refreshes a certificate. PKCS11Provider doesn't seem useful. ProxyCommand could specify a command that refreshes the certificate. Cloudflare recommended this at one point, and it worked about as poorly as might be expected. (That is, very poorly indeed.) So my feature request: a way to do this for real. Here are a couple of ide...

...n first key access, thus I would like to use option AddKeysToAgent available in the config. However it seems this option doesn't work with PKCS#11 keys. Could it be fixed. There's one more annoying issue: if PKCS#11 key has been already loaded into agent it isn't considered if ssh uses PKCS11Provider option is set and I've got to enter card PIN again: reddot at docorp:~$ ssh-add -l 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) reddot at docorp:~$ ssh valov....

...d keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whethe...

...h agent keys that we should never be using if option is set (as said in the man page extract below). Extract from ssh_config man page IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) or a PKCS11Provider offers more identities. The argument to this keyword must be ?yes? or ?no?. This option is intended for situ? ations where ssh-agent offers many different identities. The default is ?no?. Hope it helps ! -- You are receiving this mail because: You are watching the assignee of the...

...d keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whethe...

...044096 +0100 @@ -125,7 +125,7 @@ typedef enum { oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, - oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, + oHostKeyAlgorithms, oBindAddress, oBindPort, oPKCS11Provider, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -210,6 +210,7 @@ static struct { { "pr...

https://bugzilla.mindrot.org/show_bug.cgi?id=3117 Bug ID: 3117 Summary: Tracking bug for 8.2 release Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Keywords: meta Severity: enhancement Priority: P5 Component: Miscellaneous Assignee:

...instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path" bz#3132 Bugfixes -------- * ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider; bz#3141 * ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. * scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic orderi...