HostKey in hardware?
Damien Miller
djm at mindrot.org
Fri Nov 23 15:09:17 EST 2012
On Fri, 23 Nov 2012, Peter Stuge wrote:
> Damien Miller wrote: > At the moment, the keys are loaded using a
> fixed PIN of 0000, but > there's probably a better way to do it.
>
> Maybe take PIN from the config file, although it's not too awesome..
If you can steal access to the token then you can almost certainly steal
sshd_config, so I think that would be false security for most people.
I'd prefer to stipulate that any keys used for hostkeys are PIN-less,
but I can't find any documentation on how one would actually create
these. It looks like it should be possible using OpenSC and a custom
pkcs15.profile, but I don't know enough about PKCS#15 or the vagaries of
various tokens' behaviour to actually do it or say that it would work
reliably :(
-d
More information about the openssh-unix-dev
mailing list