HostKey in hardware?

Jan Pechanec jan.pechanec at
Tue Dec 4 06:27:27 EST 2012

On Wed, 28 Nov 2012, Damien Miller wrote:

>> Here's a (lightly tested) patch for PKCS#11 host keys. At the moment, the
>> keys are loaded using a fixed PIN of 0000, but there's probably a better
>> way to do it. I don't really want sshd to block at startup time while looking
>> for a password, but my PKCS#15-fu isn't good enough to know how to create
>> keys that don't require a PIN at all.
>Thinking about it some more, I've come to the conclusion that this patch
>is insufficient because it offers no way to select which keys from the
>token will end up as SSH hostkeys. An administrator who has gone to the
>trouble of setting up some sort of token for the storage of SSH keys may
>well want to use it with independent keys for other purposes (e.g. TLS keys).
>So we need some way of selecting keys from the token for use. I don't like
>doing it via reader ID / slot, as readers on USB busses can move around -
>IMO it's safer to explicitly specify the public key. Perhaps like:
>HostKeyPKCS11 /path/to/ /path/to/

	Damien, you could use PKCS#11 URI for that. You may even 
overload HostKey keyword and test for "pkcs:" prefix to distinguish
between a path and a URI.

	the URI is already used in GNOME, GnuTLS, and Solaris (ZFS, 


Jan Pechanec

More information about the openssh-unix-dev mailing list