HostKey in hardware?
andrew cooke
andrew at acooke.org
Thu Nov 22 05:49:30 EST 2012
Hi,
Is there any way to store HostKey in hardware (and delegate the related
processing)?
I have been using Roumen Petrov's x509 patch for clients, which works via an
OpenSSL engine, but it does not seem to support server HostKey:
http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html
For PKCS#11, I have found an email on this list from a year back suggesting
this might happen http://marc.info/?l=openssh-unix-dev&m=131501200216440&w=2
and there's also a mention in this talk
http://www.openbsd.org/papers/asiabsdcon2011_openssh_whats_new.pdf but I can
find no evidence that anything has been implemented yet.
The hardware I am using (Spyrus Lynks II) doesn't have PKCS#11 support, so I
would prefer the OpenSSL route (since I already have an engine), but if
necessary I would consider writing a minimal PKCS#11 implementation (can
anyone give a rough idea of the amount of work involved to get HostKey
working, only?)
Anyway, any pointers would be appreciated.
Thanks,
Andrew
More information about the openssh-unix-dev
mailing list