search for: rfc7512

...us: NEW Severity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 3111 --> https://bugzilla.mindrot.org/attachment.cgi?id=3111&action=edit PKCS#11 URI (RFC7512) support There is a series of patches adding a support for PKCS#11 URIs [1] with testsuite and improving the existing tests to be actually run against a software pkcs11 module. What is currently done: * Print PKCS#11 URIs from ssh-keygen * Accept PKCS#11 URIs in -i argument to ssh * Allow PKCS...

...ly, since it is first result of search). So far, the key is identified by its pkcs11 provider library [2] and by flag SSHKEY_FLAG_EXT [3], which is obviously not enough (see the self-explaining comment /* XXX */ [2]). Fortunately, similar question was asked before by different people and there is RFC7512 describing PKCS#11 URI scheme, which quite suits these needs. It can overgrow into ugly monstrosity, but for our case should be enough to note the id (CKA_ID) in scheme. Integration of this idea into openssh would require some changes, which are more complex to do them without discussion as a patc...

...hat is already used in the client, ssh-agent and so on. Follow-up could extend sshd PKCS#11 support to the Diffie-Hellman key exchange and random number generation. Any feedback is welcomed :) Thank you for your time and consideration. Best regards, Maxime Rey [1]: https://www.rfc-editor.org/rfc/rfc7512.html [2]: https://p11-glue.github.io/p11-glue/p11-kit.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sshd-Add-pkcs11-support-for-HostKey.patch Type: text/x-diff Size: 24848 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-u...

Some HSM's such as Safenet Network HSM do not allow searching for keys unauthenticated. To support such devices provide a mechanism for users to provide a pin code that is always used to automatically log in to the HSM when using PKCS11. The pin code is read from a file specified by the environment variable SSH_PKCS11_PINFILE if it is set. Tested against Safenet Network HSM. ---

Adjust indentation from spaces to tab (+optional two spaces) as in coding style with command like: $ sed -e 's/^ /\t/' -i */Kconfig Signed-off-by: Krzysztof Kozlowski <krzk at kernel.org> --- drivers/acpi/Kconfig | 8 +- drivers/ata/Kconfig | 12 +-- drivers/auxdisplay/Kconfig | 14 +--

Adjust indentation from spaces to tab (+optional two spaces) as in coding style with command like: $ sed -e 's/^ /\t/' -i */Kconfig Signed-off-by: Krzysztof Kozlowski <krzk at kernel.org> --- drivers/acpi/Kconfig | 8 +- drivers/ata/Kconfig | 12 +-- drivers/auxdisplay/Kconfig | 14 +--