OpenSSH PKCS#11merge

Peter Stuge stuge-openssh-unix-dev at
Wed Jan 9 09:42:44 EST 2008


On Tue, Jan 08, 2008 at 03:39:15PM +0200, Alon Bar-Lev wrote:
> Thank you so much for the input!
> I was unaware that the agent can call these functions.
> However, I believe that it is somewhat confusing to introduce a
> passphrase dialog for ok/cancel input... :)

Also see the ask_permission() call in readpass.c which is used for
keys that are added with the confirmation constraint - it will only
read a yes/no answer.

> I released a new version of my patch:
> This version uses the ssh-askpass interface.

I'll have a look. Not tonight though.

> I also splitted the patches so it will be clear what goes to where
> and why.
> Available for OpenSSH and Portable OpenSSH versions, and X.509
> functionality.

Cool! Have you made any research on pkcs#11 in OpenBSD? I asked
around in #openbsd on freenode some time ago but noone there had
heard any strong opinions either for or against it.

OpenBSD has support for hardware crypto, but that's all in the kernel
and I suppose applications all use whatever native API:s there are,
which then may or may not be accelerated.

Might be interesting to check out. OpenVPN supposedly can make use of
the hw crypto acceleration. I don't know at all about the scope of
OBSD hw crypto support. Perhaps a p11 wrapper for the OBSD native API
would be useful. :)


More information about the openssh-unix-dev mailing list