Displaying 20 results from an estimated 3000 matches similar to: "[PATCH] Readable return codes for pkcs11 identities"
2018 Feb 26
3
Outstanding PKCS#11 issues
Hello everyone,
as you could have noticed over the years, there are several bugs for
PKCS#11 improvement and integration which are slipping under the radar
for several releases, but the most painful ones are constantly updated
by community to build, work and make our lives better.
I wrote some of the patches, provided feedback to others, or offered
other help here on mailing list, but did not
2019 Apr 24
2
Call for testing: OpenSSH 8.0
On Sat, 2019-04-06 at 03:20 +1100, Damien Miller wrote:
> On Fri, 5 Apr 2019, Jakub Jelen wrote:
>
> > There is also changed semantics of the ssh-keygen when listing keys
> > from PKCS#11 modules. In the past, it was not needed to enter a PIN
> > for
> > this, but now.
> >
> > At least, it is not consistent with a comment in the function
> >
2016 Dec 24
30
[Bug 2652] New: PKCS11 login skipped if login required and no pin set
https://bugzilla.mindrot.org/show_bug.cgi?id=2652
Bug ID: 2652
Summary: PKCS11 login skipped if login required and no pin set
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Smartcard
Assignee:
2015 Mar 17
2
[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary.
PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today.
Dw.
commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a
Author: Dirk-Willem van Gulik <dirkx at webweaving.org>
Date: Tue Mar 17
2016 Nov 11
10
[Bug 2638] New: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
https://bugzilla.mindrot.org/show_bug.cgi?id=2638
Bug ID: 2638
Summary: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
private objects
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
2016 Jul 25
3
ssh-pkcs11.c
Hi Alon,
I confirmed with pkcs11-tool (from OpenSC) and I can confirm that
pressing return when asked for the pin causes the login to stop (and
not to try a empty pin).
Can you confirm if a empty pin is actually a valid pin, and if not,
can the patch be accepted?
Once again, the problem is that from a user experience, *some/most*
users would expect they can skip pkcs11 token authentication just
2016 Nov 16
2
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
On 11/16/16, 8:55 AM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote:
On Wed, Nov 16, 2016 at 12:54:44PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> I find this approach very bad in general.
>
> PKCS#11 standard says that *private* keys should not be
2020 Feb 24
4
Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
On Sat, 2020-02-22 at 10:50 -0600, Douglas E Engert wrote:
> As a side note, OpenSC is looking at issues with using tokens vs
> separate
> readers and smart cards. The code paths in PKCS#11 differ. Removing a
> card
> from a reader leaves the pkcs#11 slot still available. Removing a
> token (Yubikey)
> removes both the reader and and its builtin smart card. Firefox has a
>
2016 Oct 03
6
[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620
Bug ID: 2620
Summary: Option AddKeysToAgent doesnt work with keys provided
by PKCS11 libraries.
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
2016 Nov 16
3
[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
Some HSM's such as Safenet Network HSM do not allow searching for keys
unauthenticated. To support such devices provide a mechanism for users
to provide a pin code that is always used to automatically log in to
the HSM when using PKCS11.
The pin code is read from a file specified by the environment variable
SSH_PKCS11_PINFILE if it is set.
Tested against Safenet Network HSM.
---
2019 Apr 05
2
Call for testing: OpenSSH 8.0
On Fri, 2019-03-29 at 12:29 +0100, Jakub Jelen wrote:
> On Wed, 2019-03-27 at 22:00 +1100, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 8.0p1 is almost ready for release, so we would appreciate
> > testing
> > on as many platforms and systems as possible.
> >
> > Snapshot releases for portable OpenSSH are available from
> >
2017 Apr 24
5
PKCS#11 URIs in OpenSSH
Hello all,
as PKCS#11 URI became standard (RFC 7512), it would be good to be able
to specify the keys using this notation in openssh.
So far I implemented the minimal subset of this standard allowing to
specify the URI for the ssh tool, in ssh_config and to work with
ssh-agent. It does not bring any new dependency, provides unit and
regress tests (while fixing agent-pkcs11 regress test).
The
2018 Jan 05
11
[Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
https://bugzilla.mindrot.org/show_bug.cgi?id=2817
Bug ID: 2817
Summary: Add support for PKCS#11 URIs (RFC 7512)
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at
2005 Oct 22
2
openssh PKCS#11 support
Hello All,
As I promised, I've completed and initial patch for openssh
PKCS#11 support. The same framework is used also by openvpn.
I want to help everyone who assisted during development.
This patch is based on the X.509 patch from
http://roumenpetrov.info/openssh/ written by Rumen Petrov,
supporting PKCS#11 without X.509 looks like a bad idea.
*So the first question is: What is the
2020 Feb 22
3
Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
Hi all,
Thanks for all your hard work! I was particularly excited to see
FIDO/U2F support in the latest release.
I'd like to make the following bug report in ssh-agent's PKCS#11 support:
Steps to reproduce:
1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key.
2. Add that key to ssh-agent.
3. Remove that key from ssh-agent.
4. Add that key to ssh-agent.
Expected results:
2013 Mar 06
2
[Bug 2075] New: [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075
Bug ID: 2075
Summary: [PATCH] Enable key pair generation on a PCKS#11 device
Classification: Unclassified
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component:
2018 Dec 19
2
RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT
Alon,
On 12/18/2018 06:52 PM, Alon Bar-Lev wrote:
> OK... So you have an issue...
>
> First, you need to delegate your smartcard to remote machine, probably
> using unix socket redirection managed by openssh. This can be done in
> many levels...
> 1. Delegate USB device, this will enable only exclusive usage of the
> smartcard by remote machine.
> 2. Delegate PC/SC, this
2004 Sep 02
1
contribution - pkcs11 smart card support
Hello,
I have just finished development of PKCS#11 smartcard support into OpenSSH.
It is based on existing approach implemented in sectok and OpenSC support.
It means it supports private key stored on PKCS#11 device.
I have developed it on Linux platform and tested on Windows using Cygwin and
after some minor code cealn-up I'm ready to post a patch.
Are you (especially maintaners)
2015 Sep 25
24
[Bug 2472] New: Add support to load additional certificates
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
Bug ID: 2472
Summary: Add support to load additional certificates
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at
2011 Feb 17
1
PKCS11: selecting which key to use
Hello.
Just popping in (not subscribed, please CC) to ask if it's planned to
add "identity selection" when using a PKCS#11 provider.
To be more clear: I have a (working) reader+smartcard, handled by
PKCS11Provider /usr/lib/opensc-pkcs11.so
statement in config file.
Card is "formatted" w/ "pkcs15-init -C", and got a couple PINs, some
mail certs and some keypairs