similar to: [PATCH] Readable return codes for pkcs11 identities

Hello everyone, as you could have noticed over the years, there are several bugs for PKCS#11 improvement and integration which are slipping under the radar for several releases, but the most painful ones are constantly updated by community to build, work and make our lives better. I wrote some of the patches, provided feedback to others, or offered other help here on mailing list, but did not

On Sat, 2019-04-06 at 03:20 +1100, Damien Miller wrote: > On Fri, 5 Apr 2019, Jakub Jelen wrote: > > > There is also changed semantics of the ssh-keygen when listing keys > > from PKCS#11 modules. In the past, it was not needed to enter a PIN > > for > > this, but now. > > > > At least, it is not consistent with a comment in the function > >

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee:

Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. Dw. commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a Author: Dirk-Willem van Gulik <dirkx at webweaving.org> Date: Tue Mar 17

https://bugzilla.mindrot.org/show_bug.cgi?id=2638 Bug ID: 2638 Summary: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement

Hi Alon, I confirmed with pkcs11-tool (from OpenSC) and I can confirm that pressing return when asked for the pin causes the login to stop (and not to try a empty pin). Can you confirm if a empty pin is actually a valid pin, and if not, can the patch be accepted? Once again, the problem is that from a user experience, *some/most* users would expect they can skip pkcs11 token authentication just

On 11/16/16, 8:55 AM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote: On Wed, Nov 16, 2016 at 12:54:44PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I find this approach very bad in general. > > PKCS#11 standard says that *private* keys should not be

On Sat, 2020-02-22 at 10:50 -0600, Douglas E Engert wrote: > As a side note, OpenSC is looking at issues with using tokens vs > separate > readers and smart cards. The code paths in PKCS#11 differ. Removing a > card > from a reader leaves the pkcs#11 slot still available. Removing a > token (Yubikey) > removes both the reader and and its builtin smart card. Firefox has a >

https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Bug ID: 2620 Summary: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries. Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

Some HSM's such as Safenet Network HSM do not allow searching for keys unauthenticated. To support such devices provide a mechanism for users to provide a pin code that is always used to automatically log in to the HSM when using PKCS11. The pin code is read from a file specified by the environment variable SSH_PKCS11_PINFILE if it is set. Tested against Safenet Network HSM. ---

On Fri, 2019-03-29 at 12:29 +0100, Jakub Jelen wrote: > On Wed, 2019-03-27 at 22:00 +1100, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.0p1 is almost ready for release, so we would appreciate > > testing > > on as many platforms and systems as possible. > > > > Snapshot releases for portable OpenSSH are available from > >

Hello all, as PKCS#11 URI became standard (RFC 7512), it would be good to be able to specify the keys using this notation in openssh. So far I implemented the minimal subset of this standard allowing to specify the URI for the ssh tool, in ssh_config and to work with ssh-agent. It does not bring any new dependency, provides unit and regress tests (while fixing agent-pkcs11 regress test). The

https://bugzilla.mindrot.org/show_bug.cgi?id=2817 Bug ID: 2817 Summary: Add support for PKCS#11 URIs (RFC 7512) Product: Portable OpenSSH Version: 7.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at

Hello All, As I promised, I've completed and initial patch for openssh PKCS#11 support. The same framework is used also by openvpn. I want to help everyone who assisted during development. This patch is based on the X.509 patch from http://roumenpetrov.info/openssh/ written by Rumen Petrov, supporting PKCS#11 without X.509 looks like a bad idea. *So the first question is: What is the

Hi all, Thanks for all your hard work! I was particularly excited to see FIDO/U2F support in the latest release. I'd like to make the following bug report in ssh-agent's PKCS#11 support: Steps to reproduce: 1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key. 2. Add that key to ssh-agent. 3. Remove that key from ssh-agent. 4. Add that key to ssh-agent. Expected results:

https://bugzilla.mindrot.org/show_bug.cgi?id=2075 Bug ID: 2075 Summary: [PATCH] Enable key pair generation on a PCKS#11 device Classification: Unclassified Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

Hello, I have just finished development of PKCS#11 smartcard support into OpenSSH. It is based on existing approach implemented in sectok and OpenSC support. It means it supports private key stored on PKCS#11 device. I have developed it on Linux platform and tested on Windows using Cygwin and after some minor code cealn-up I'm ready to post a patch. Are you (especially maintaners)

https://bugzilla.mindrot.org/show_bug.cgi?id=2472 Bug ID: 2472 Summary: Add support to load additional certificates Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at

Hello. Just popping in (not subscribed, please CC) to ask if it's planned to add "identity selection" when using a PKCS#11 provider. To be more clear: I have a (working) reader+smartcard, handled by PKCS11Provider /usr/lib/opensc-pkcs11.so statement in config file. Card is "formatted" w/ "pkcs15-init -C", and got a couple PINs, some mail certs and some keypairs