similar to: [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

Some HSM's such as Safenet Network HSM do not allow searching for keys unauthenticated. To support such devices provide a mechanism for users to provide a pin code that is always used to automatically log in to the HSM when using PKCS11. The pin code is read from a file specified by the environment variable SSH_PKCS11_PINFILE if it is set. Tested against Safenet Network HSM. ---

On 11/16/16, 8:55 AM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote: On Wed, Nov 16, 2016 at 12:54:44PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I find this approach very bad in general. > > PKCS#11 standard says that *private* keys should not be

Hello, OpenSSH supports PKCS#11 on the client side, but that does not extend to the server side. I would like to bring PKCS#11 support to sshd. I am working on embedded Linux systems with integrated HSM. The sshd host key is stored on the HSM. To have sshd using that key, we rely on the following chain: sshd -> OpenSSL -> OpenSSL Engine -> HSM Having PKCS#11 support in sshd, would

https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Bug ID: 3202 Summary: Ed25519 key on HSM is not getting listed in ssh-add -l command Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add

Guys, I am not able to get it run. I can not say where is the problem but it seams that the openssh client is not able to get list of rsa key from token. See two logs from pkcs11-spy. one is for "ssh -I" the second is for "pkcs11-tool -O" In the second log there is private_key visible or offered in the first one is not. I use openssh 6.4 version on Linux or Mac. Log from

https://bugzilla.mindrot.org/show_bug.cgi?id=3561 Bug ID: 3561 Summary: Open SSH does not support 1-byte structure packing on non-windows systems for PKCS11 Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5

Hmm, don't you just love changing terminology! I've been using HSM systems at work since '99. BTW, DMAPI is the Data Management API which was a common(ish) extension used by amongst others SGI and IBM. Back to lvmcache. It looks interesting. I'd earlier dismissed LVM since it is block orientated, not file orientated. Probably because my mental image is of files migrating to

https://bugzilla.mindrot.org/show_bug.cgi?id=3635 Bug ID: 3635 Summary: ssh-add -s always asks for PKCS#11 PIN Product: Portable OpenSSH Version: 9.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add Assignee: unassigned-bugs at

I think there may be some confusion here. By HSM I was referring to Hierarchical Storage Management, whereby there are multiple levels of storage (fast+expensive <-> slow+cheap) and files migrate up or down. Originally it was used to keep data on tape with the metadata residing on disk though it has been expanded to allow a SAS/SATA hierarchy. Quite where PKI comes in I'm not sure,

Andrew, I have a software which need the following package but I can't find it in Internet. Could you advice me where I can download it? samba-3.0.10-1.4E6.HSM.2.i386 samba-common-3.0.10-1.3E.6.HSM.2 samba-client-3.0.10-1.4E.6.HSM.2 Thanks, Isaac Chan

Hi there, has anybody managed to get the eToken Pro Anywhere work with SSH? I'm using the latest SafeNetAuthentication drivers available for Ubuntu 64bit (8.3) and everything is working just fine except for ssh. I can use the eToken for logging in, openvpn, rdestkop, etc. but it seems ssh does not recognize the device properly. The command "ssh -I /usr/lib/libeToken.so.8 user at

I said I had several questions to start threads on.... What about ZFS and various HSM solutions? Do any of them already work with ZFS? Are any going to? It seems like HSM solutions that access things at a file level would have little trouble integrating with ZFS. But ones that work at a block level would have a harder time. On that same thread, what about support for DMAPI within ZFS?

Purely from interest, is there any current FOSS implementation of HSM? I note that XFS has dropped support for DMAPI, have other filesystems? Regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL:

https://bugzilla.mindrot.org/show_bug.cgi?id=3579 Bug ID: 3579 Summary: OpenSSH trims last character of fixed-lenght buffers received from the pkcs11 providers providing users with inaccurate information Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux

Hi - I was wondering if any of you may be able to point me in the right direction. I am in the process of designing a fairly large fileserver solution in an MS Active directory environment. I have setup and tested ctdb samba, however, after several discussions with a couple of my colleagues, i am now considering a more vanilla flavour of samba. The key features the solution requires are: •

Hi. I'm looking for a tutorial/how-to for a HSM (Hierarchical /Storage/ Management). keeping old messages for a user in a cheap storage and recent messages in a faster one. I see on dovecot2 wiki an alternative for hsm as "Alternate storage", but I don't now if it's a good solution for me. The expected result is a faster imap/pop access for new messages on a

Hello, Is there any support (existing or planned) for host keys/certs being managed by some hardware device (tpm,hsm,etc..) instead of a flat file? thanks, -Kenny

I have successfully set up a system with Ices0.4 and IceCast2.20 (and Tunez). It plays well using mpg123 or WinAmp. But I would like to use also my KiSS DVD player for the stream, and I have not been able to do so - It appearently needs 110% SHOUTcast compatibility. So I tried the IceCast2.3.1 - but it still didn't like the KiSS (or the other way around). In stead, I have added a SHOUTcast

Hi List, I just got myself a new everpower-1000va. according to the compatibility list, the 'safenet' driver supposed to support it, however, when I try, I get this in syslog: Jul 24 15:05:22 tv upsd[26458]: Can't connect to UPS [everpower1000] (safenet-ttyS1): No such file or directory this is my ups.conf: [everpower1000] driver = safenet port = /dev/ttyS1 desc =

I've started testing the detect-renamed patch with 2.6.9 and soon 3.0.0pre1. I have an unique situation where I'm rsync'ing to a HSM based filesystem. I've found that the detect-renamed patch works but it appears to do a copy of the file to the new destination. This is particular slow since the file in the HSM based filesystem may only be a stub and all the data is only resident