HostKey in hardware?

Damien Miller djm at mindrot.org
Fri Nov 23 15:09:17 EST 2012


On Fri, 23 Nov 2012, Peter Stuge wrote:

> Damien Miller wrote: > At the moment, the keys are loaded using a
> fixed PIN of 0000, but > there's probably a better way to do it.
>
> Maybe take PIN from the config file, although it's not too awesome..

If you can steal access to the token then you can almost certainly steal
sshd_config, so I think that would be false security for most people.

I'd prefer to stipulate that any keys used for hostkeys are PIN-less,
but I can't find any documentation on how one would actually create
these. It looks like it should be possible using OpenSC and a custom
pkcs15.profile, but I don't know enough about PKCS#15 or the vagaries of
various tokens' behaviour to actually do it or say that it would work
reliably :(

-d


More information about the openssh-unix-dev mailing list