Displaying 20 results from an estimated 2000 matches similar to: "PKCS11: selecting which key to use"
2016 Dec 28
2
certificates keys on pkcs11 devices
Hi,
I have not found any way to use a Certificate with ssh-agent when my Key is
stored on a pkcs11 device. I can add my key with
ssh-add -s /usr/local/lib/opensc-pkcs11.so
but
ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub
does not add the certificate to my agent. As far as I undestand, in
ssh-add.c line 580
if (pkcs11provider != NULL) {
if (update_card(agent_fd,
2016 Oct 27
11
[Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
https://bugzilla.mindrot.org/show_bug.cgi?id=2635
Bug ID: 2635
Summary: Unable to use SSH Agent and user level PKCS11Provider
configuration directive
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
2016 Oct 03
6
[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620
Bug ID: 2620
Summary: Option AddKeysToAgent doesnt work with keys provided
by PKCS11 libraries.
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
2010 Apr 06
3
Using OpenSSH with smart cards HOWTO
On Tue, 2010-04-06 at 15:52 +0300, Lars Nooden wrote:
> You might wish to focus on sftp instead of scp.
Okay, I will have a look.
I had some problems:
1) I would like to store smart card information
-o PKCS11Provider=/usr/lib/opensc-pkcs11.so
in /etc/ssh/ssh-config. Is it possible?
2) ssh-add -s does not seem to work.
Read:
2010 Jan 06
2
smart cards (was: OpenSSH daemon security bug?)
On 06.01.2010, at 5:46, openssh-unix-dev-request at mindrot.org wrote:
> OpenSSH daemon security bug?
If you find find passwords and/or password protected keys not secure I would suggest using private keys on a smart card.
There's a bug(with patches) related to smart cards:
https://bugzilla.mindrot.org/show_bug.cgi?id=1371
I don't think that guessing about the protection of the
2004 Sep 02
1
contribution - pkcs11 smart card support
Hello,
I have just finished development of PKCS#11 smartcard support into OpenSSH.
It is based on existing approach implemented in sectok and OpenSC support.
It means it supports private key stored on PKCS#11 device.
I have developed it on Linux platform and tested on Windows using Cygwin and
after some minor code cealn-up I'm ready to post a patch.
Are you (especially maintaners)
2016 Nov 16
3
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
Some HSM's such as Safenet Network HSM do not allow searching for keys
unauthenticated. To support such devices provide a mechanism for users
to provide a pin code that is always used to automatically log in to
the HSM when using PKCS11.
The pin code is read from a file specified by the environment variable
SSH_PKCS11_PINFILE if it is set.
Tested against Safenet Network HSM.
---
2016 Jul 25
3
ssh-pkcs11.c
Hi Alon,
I confirmed with pkcs11-tool (from OpenSC) and I can confirm that
pressing return when asked for the pin causes the login to stop (and
not to try a empty pin).
Can you confirm if a empty pin is actually a valid pin, and if not,
can the patch be accepted?
Once again, the problem is that from a user experience, *some/most*
users would expect they can skip pkcs11 token authentication just
2020 Feb 22
3
Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
Hi all,
Thanks for all your hard work! I was particularly excited to see
FIDO/U2F support in the latest release.
I'd like to make the following bug report in ssh-agent's PKCS#11 support:
Steps to reproduce:
1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key.
2. Add that key to ssh-agent.
3. Remove that key from ssh-agent.
4. Add that key to ssh-agent.
Expected results:
2020 Feb 27
2
[PATCH] Readable return codes for pkcs11 identities
Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:
$ ssh -I /path/to/module user at example.com
Enter PIN for 'SSH key':
C_Login failed: 160
I'd prefer to receive a more useful message:
Login to PKCS#11 token failed: Incorrect PIN
I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too
2020 Feb 24
4
Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
On Sat, 2020-02-22 at 10:50 -0600, Douglas E Engert wrote:
> As a side note, OpenSC is looking at issues with using tokens vs
> separate
> readers and smart cards. The code paths in PKCS#11 differ. Removing a
> card
> from a reader leaves the pkcs#11 slot still available. Removing a
> token (Yubikey)
> removes both the reader and and its builtin smart card. Firefox has a
>
2018 Dec 18
2
RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
Alon,
I should have provided more background. You are assuming that I could
perform the PKINIT prior to connecting to the SSH server. In this case
(and others) there is an interest in not exposing the kerberos servers
to the world and thus someone connecting remotely would not be able to
obtain a TGT or do a PKINIT. The goal would be for SSH to handle all
the auth and only after connecting to
2018 Dec 19
2
RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
Alon,
On 12/18/2018 06:52 PM, Alon Bar-Lev wrote:
> OK... So you have an issue...
>
> First, you need to delegate your smartcard to remote machine, probably
> using unix socket redirection managed by openssh. This can be done in
> many levels...
> 1. Delegate USB device, this will enable only exclusive usage of the
> smartcard by remote machine.
> 2. Delegate PC/SC, this
2013 Mar 06
2
[Bug 2075] New: [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075
Bug ID: 2075
Summary: [PATCH] Enable key pair generation on a PCKS#11 device
Classification: Unclassified
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component:
2016 Nov 16
2
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
I find this approach very bad in general.?
PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication.
SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it.?
2023 Aug 01
3
[Bug 3597] New: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?
https://bugzilla.mindrot.org/show_bug.cgi?id=3597
Bug ID: 3597
Summary: Why do we check both nsession_ids and
remote_add_provider when judging whether allow remote
addition of FIDO/PKCS11 provider libraries is
disabled?
Product: Portable OpenSSH
Version: -current
Hardware: Other
2018 Feb 26
3
Outstanding PKCS#11 issues
Hello everyone,
as you could have noticed over the years, there are several bugs for
PKCS#11 improvement and integration which are slipping under the radar
for several releases, but the most painful ones are constantly updated
by community to build, work and make our lives better.
I wrote some of the patches, provided feedback to others, or offered
other help here on mailing list, but did not
2014 Jan 28
1
safenet eToken 5100 pkcs11 bug(?)
Guys, I am not able to get it run. I can not say where is the problem but it seams that the openssh client is not able to get list of rsa key from token. See two logs from pkcs11-spy. one is for "ssh -I" the second is for "pkcs11-tool -O"
In the second log there is private_key visible or offered in the first one is not.
I use openssh 6.4 version on Linux or Mac.
Log from
2016 Dec 24
30
[Bug 2652] New: PKCS11 login skipped if login required and no pin set
https://bugzilla.mindrot.org/show_bug.cgi?id=2652
Bug ID: 2652
Summary: PKCS11 login skipped if login required and no pin set
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Smartcard
Assignee:
2002 Oct 17
2
playing with smartcard: rsa key upload?
I began playing with smartcard support and enabled this in openssh-3.5p1
on linux.
The -U (upload) option unfortunately doesn't work yet with ssh-keygen:
$ ssh-keygen -U 0
Enter file in which the key is (/home/user/.ssh/id_rsa):
key uploading not yet supported
Is there a tool to upload an openssh rsa key to a smart card so that I can
use it with ssh -I later on? Should I just upload it as a