similar to: ssh-pkcs11.c

On Fri, Jun 17, 2016 at 7:57 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote: > On 17 June 2016 at 20:58, Nuno Gon?alves <nunojpg at gmail.com> wrote: >> Hi, >> >> It seems there is a bug with the pkcs11 feature where a zero-length >> PIN is accepted. I believe this is a bug, since the user might want to >> press return when asked for the PIN to

Hi Alon, I confirmed with pkcs11-tool (from OpenSC) and I can confirm that pressing return when asked for the pin causes the login to stop (and not to try a empty pin). Can you confirm if a empty pin is actually a valid pin, and if not, can the patch be accepted? Once again, the problem is that from a user experience, *some/most* users would expect they can skip pkcs11 token authentication just

Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. Dw. commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a Author: Dirk-Willem van Gulik <dirkx at webweaving.org> Date: Tue Mar 17

Some HSM's such as Safenet Network HSM do not allow searching for keys unauthenticated. To support such devices provide a mechanism for users to provide a pin code that is always used to automatically log in to the HSM when using PKCS11. The pin code is read from a file specified by the environment variable SSH_PKCS11_PINFILE if it is set. Tested against Safenet Network HSM. ---

I find this approach very bad in general.? PKCS#11 standard says that *private* keys should not be accessible without authentication. *Public* keys and certificates of course can and should be accessible with no authentication. SoftHSM misinterpreted this originally (older pkcs11 documents were less clear :), but they rectified this mistake. We should not repeat it.?

https://bugzilla.mindrot.org/show_bug.cgi?id=2547 Bug ID: 2547 Summary: ssh-ext-info: missing server signature algorithms Product: Portable OpenSSH Version: 7.2p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

Sorry; here's the message I sent with the Keychain Patch yesterday. I didn't realize that the list wouldn't extract the text parts of the message. Enjoy. Hey all, Here's the patch to let SSH store passwords in the Mac OS X Keychain. I don't know whether you guys want to include it or not with the distribution; some people have said that since Keychain is not an open

Folks, Find below a minor patch to allow the use of smartcards in readers that have their own PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical chipcard devices. Tested on Solaris, FreeBSD and MacOSX against various cards and drivers. I?ve left the pkcs11_interactive check in place. Arguably - with some Secure PIN readers it may be better to move this just in front

On Wed, 5 Apr 2017, Jakub Jelen wrote: > Disabling SHA-1 for signatures sounds like a good idea these days (and was the > main reason why the extension created if I read it right [1]). > This leaves me confused if the use case without SHA1 was missed from the draft > or it was left as an implementation detail, that was not implemented in > OpenSSH. The reasons we didn't

https://bugzilla.mindrot.org/show_bug.cgi?id=2680 Bug ID: 2680 Summary: Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced) Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

Repost; updated for HEAD and tested on ubuntu as well. Dw. Folks, Find below a minor patch to allow the use of smartcards in readers that have their own PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical chipcard devices. Tested on Solaris, FreeBSD, Linux and MacOSX against various cards and drivers. I?ve left the pkcs11_interactive check in place. Arguably - with

https://bugzilla.mindrot.org/show_bug.cgi?id=3571 Bug ID: 3571 Summary: Canceling SSH_ASKPASS actually sends an empty string Product: Portable OpenSSH Version: 8.8p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: ssh Assignee: unassigned-bugs at

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted.

Hi, Following the fix [1] being released on 7.5, now SHA2 RSA signature methods work properly. On the other hand it is still not possible to disable SHA1 RSA alone (as an example, as SHA2-256 or SHA2-512 could also potentially be not desirable), where it is considered insecure or undesirable. I am proposing to add a mechanism, and happy to submit a patch, to enable selection of the Hashes

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting to

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

Hi, I have made a patch for enabling the use of ECDSA keys in the PKCS#11 support of ssh-agent which will be of interest to other users. I have tested it with P-256 keys. P-384 and P-521 should work out-of-the box. The code is ready for non-FIPS curves (named or explicit), but OpenSSH currently limits ECDSA to those 3 curves. At high level it works like the support for RSA, but because of

On 11/16/16, 8:55 AM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote: On Wed, Nov 16, 2016 at 12:54:44PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I find this approach very bad in general. > > PKCS#11 standard says that *private* keys should not be

Dear friends, First, thanks for helping me on ssh default option for smartcards. I recompiled SSH from CVS and it seems to work. I still have problems with: ssh-add -s /usr/lib/opensc-pkcs11.so Enter passphrase for PKCS#11: (I enter PIN code) SSH_AGENT_FAILURE Could not add card: /usr/lib/opensc-pkcs11.so pkcs11-tool --slot 1 -O Public Key Object; RSA 2048 bits label: Public Key ID:

Hello, I have just finished development of PKCS#11 smartcard support into OpenSSH. It is based on existing approach implemented in sectok and OpenSC support. It means it supports private key stored on PKCS#11 device. I have developed it on Linux platform and tested on Windows using Cygwin and after some minor code cealn-up I'm ready to post a patch. Are you (especially maintaners)