search for: softhsm

Displaying 20 results from an estimated 26 matches for "softhsm".

2016 Jan 15
4
Proposal: always handle keys in separate process
...ng material in a dedicated process? A similar approach, "Practical key privilege separation using Caml Crush", was discussed at FOSDEM'15 with a focus on Heatbleed [1][2] but the ideas and principles are the same. Now this is easily done using the following available components: - SoftHSM to store the crypto keys - Caml-Crush server components load the SoftHSM middleware (access the keys) in a dedicated process - SSH client loads Caml-Crush PKCS#11 middleware that connects to its daemon and allows to sign SSH exchange to authenticate No patch needed. Hope this helps, Thomas...
2020 Aug 26
10
[Bug 3202] New: Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Bug ID: 3202 Summary: Ed25519 key on HSM is not getting listed in ssh-add -l command Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add
2016 Nov 16
2
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
I find this approach very bad in general.? PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it.? Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Juha-Matti Tapio Sent: Wednesday, November 16, 2016 04:35 T...
2018 Dec 19
2
RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this
2015 Sep 28
33
[Bug 2474] New: Enabling ECDSA in PKCS#11 support for ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=2474 Bug ID: 2474 Summary: Enabling ECDSA in PKCS#11 support for ssh-agent Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs
2017 Nov 27
2
Debian Buster, bind_dlz, and apparmor
...ith-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LD...
2015 Jul 14
2
[Bug 2427] New: ssh keygen is trying to read uninitialized slots on smart card (and is failing)
...gi?id=2664&action=edit ignore uninitialized slots Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. One of them is that keygen is trying to open session on uninitialised slots on smart card (tested with softHSM soft token). First view was that the problem is on soft token side, but it announces the slot in correct way, with CKF_TOKEN_INITIALIZED flag, which should prevent tools to open session on this slot. I created patch against master that is skipping slots with this flag, rather than failing hard on...
2015 Jul 15
3
[Bug 2429] New: ssh-keygen ignores keys that have CKA_ID == 0
...t 2670 --> https://bugzilla.mindrot.org/attachment.cgi?id=2670&action=edit Do not require to return ID from token Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. The another is problem again with softHSM. It is returning empty ID, which is not handled by keygen correctly. The length check was added based on the bug #1773. It is fine to skip certificates that have empty values. But requiring non-empty ID is not preferred way because: * the ID is not used anywhere in ssh-keygen * some tokens do no...
2016 Jan 14
4
Proposal: always handle keys in separate process
Hello, in light of the recent CVE-2016-0777, I came up with the following idea, that would have lessened its impact. Feel free to ignore or flame me, maybe its stupid or I missed something :) - private key material should only ever be handled in a separate process from the SSH client. ssh-agent (maybe slightly extended) seems the logical choice. - in places where the client currently reads
2018 Aug 13
8
Why still no PKCS#11 ECC key support in OpenSSH ?
On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > Lack of time on the Open Source projects is understandable, and not uncommon. > > However, PKCS11 has been in the codebase practically forever - the ECC > patches that I saw did not alter the API or such. It is especially > non-invasive when digital signature is concerned. > > Considering how long those patches have
2019 Jan 22
0
Samba BIND9_DLZ autoupdate PTR
...=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFL...
2017 Nov 03
3
[RFC 1/2] Add support for openssl engine based keys
On Thu, 26 Oct 2017, James Bottomley wrote: > Engine keys are keys whose file format is understood by a specific > engine rather than by openssl itself. Since these keys are file > based, the pkcs11 interface isn't appropriate for them because they > don't actually represent tokens. What sort of keys do you have in mind here that can't be represented via PKCS#11? -d
2018 Jun 30
3
BIND9_DLZ: TKEY is unacceptable - depending on the name server
...openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-aaaa' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/arm-linux-gnueabihf/softhsm/libsofthsm2.so' > '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 > -fdebug-prefix-map=/build/bind9-6GG44j/bind9-9.10.3.dfsg.P4=. > -fstack-protector-strong -Wformat -Werror=format-security > -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE...
2016 Nov 16
2
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
...ri - 0553 - MITLL wrote: > I find this approach very bad in general. > > PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. > > SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it. I do agree that requiring authentication to access public keys is not a very pleasant way to do PKCS11. The point is not as much of being ?not very pl...
2023 Sep 11
21
[Bug 3613] New: Unable to sign using certificates and PKCS#11
https://bugzilla.mindrot.org/show_bug.cgi?id=3613 Bug ID: 3613 Summary: Unable to sign using certificates and PKCS#11 Product: Portable OpenSSH Version: 8.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee:
2016 Nov 24
1
samba_dnsupdate --verbose --all-names fails with kinit RuntimeError
...th-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-aaaa' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' > 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing > -fno-delete-null-pointer-checks -DNO_VERSION_DATE' > 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' > 'CPPFLAG...
2015 Jul 16
13
[Bug 2430] New: ssh-keygen should allow to login before reading public key from smart card
...ity: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. Next is problem again with softHSM. It is hiding by default both public and private key, until you login to the card. This is not rare feature and it is useful, because it hides all the data on the card for unauthorized access. Most of the pkcs11 tools have ability to do login before doing operation with card. Openssh does it now o...
2020 Sep 30
6
Bind9 issue
Rowland, To answer you first, my "example.com" registered host is a wildcat " *. example.com". Everything example.com returns my external ip address. Both bind9 and samba are running. Might add your "options" but for now, solving my problem, first. Louis, your answer in a few minutes. On Wed, Sep 30, 2020 at 8:09 AM Rowland penny via samba < samba at
2019 Jan 02
2
Samba - Bind9 DNS - ISC-DHCP - obsolete DNS entries
...=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFL...
2019 Jan 22
4
Samba BIND9_DLZ autoupdate PTR
Set auth-nxdomain yes; And stop/start bind9 Other source : https://blogs.technet.microsoft.com/teamdhcp/2015/09/10/a-description-of-the-dns-dynamic-update-message-format/ /snap The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic