search for: softhsm

...ng material in a dedicated process? A similar approach, "Practical key privilege separation using Caml Crush", was discussed at FOSDEM'15 with a focus on Heatbleed [1][2] but the ideas and principles are the same. Now this is easily done using the following available components: - SoftHSM to store the crypto keys - Caml-Crush server components load the SoftHSM middleware (access the keys) in a dedicated process - SSH client loads Caml-Crush PKCS#11 middleware that connects to its daemon and allows to sign SSH exchange to authenticate No patch needed. Hope this helps, Thomas...

https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Bug ID: 3202 Summary: Ed25519 key on HSM is not getting listed in ssh-add -l command Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add

I find this approach very bad in general.? PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it.? Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Juha-Matti Tapio Sent: Wednesday, November 16, 2016 04:35 T...

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

https://bugzilla.mindrot.org/show_bug.cgi?id=2474 Bug ID: 2474 Summary: Enabling ECDSA in PKCS#11 support for ssh-agent Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs

...ith-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LD...

...gi?id=2664&action=edit ignore uninitialized slots Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. One of them is that keygen is trying to open session on uninitialised slots on smart card (tested with softHSM soft token). First view was that the problem is on soft token side, but it announces the slot in correct way, with CKF_TOKEN_INITIALIZED flag, which should prevent tools to open session on this slot. I created patch against master that is skipping slots with this flag, rather than failing hard on...

...t 2670 --> https://bugzilla.mindrot.org/attachment.cgi?id=2670&action=edit Do not require to return ID from token Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. The another is problem again with softHSM. It is returning empty ID, which is not handled by keygen correctly. The length check was added based on the bug #1773. It is fine to skip certificates that have empty values. But requiring non-empty ID is not preferred way because: * the ID is not used anywhere in ssh-keygen * some tokens do no...

Hello, in light of the recent CVE-2016-0777, I came up with the following idea, that would have lessened its impact. Feel free to ignore or flame me, maybe its stupid or I missed something :) - private key material should only ever be handled in a separate process from the SSH client. ssh-agent (maybe slightly extended) seems the logical choice. - in places where the client currently reads

On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > Lack of time on the Open Source projects is understandable, and not uncommon. > > However, PKCS11 has been in the codebase practically forever - the ECC > patches that I saw did not alter the API or such. It is especially > non-invasive when digital signature is concerned. > > Considering how long those patches have

...=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFL...

On Thu, 26 Oct 2017, James Bottomley wrote: > Engine keys are keys whose file format is understood by a specific > engine rather than by openssl itself. Since these keys are file > based, the pkcs11 interface isn't appropriate for them because they > don't actually represent tokens. What sort of keys do you have in mind here that can't be represented via PKCS#11? -d

...openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-aaaa' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/arm-linux-gnueabihf/softhsm/libsofthsm2.so' > '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 > -fdebug-prefix-map=/build/bind9-6GG44j/bind9-9.10.3.dfsg.P4=. > -fstack-protector-strong -Wformat -Werror=format-security > -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE...

https://bugzilla.mindrot.org/show_bug.cgi?id=3613 Bug ID: 3613 Summary: Unable to sign using certificates and PKCS#11 Product: Portable OpenSSH Version: 8.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee:

...ri - 0553 - MITLL wrote: > I find this approach very bad in general. > > PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. > > SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it. I do agree that requiring authentication to access public keys is not a very pleasant way to do PKCS11. The point is not as much of being ?not very pl...

...th-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-aaaa' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' > 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing > -fno-delete-null-pointer-checks -DNO_VERSION_DATE' > 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' > 'CPPFLAG...

...ity: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. Next is problem again with softHSM. It is hiding by default both public and private key, until you login to the card. This is not rare feature and it is useful, because it hides all the data on the card for unauthorized access. Most of the pkcs11 tools have ability to do login before doing operation with card. Openssh does it now o...

Rowland, To answer you first, my "example.com" registered host is a wildcat " *. example.com". Everything example.com returns my external ip address. Both bind9 and samba are running. Might add your "options" but for now, solving my problem, first. Louis, your answer in a few minutes. On Wed, Sep 30, 2020 at 8:09 AM Rowland penny via samba < samba at

...=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFL...

Set auth-nxdomain yes; And stop/start bind9 Other source : https://blogs.technet.microsoft.com/teamdhcp/2015/09/10/a-description-of-the-dns-dynamic-update-message-format/ /snap The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic