HostKey in hardware?

Damien Miller djm at
Wed Nov 28 17:03:27 EST 2012

On Fri, 23 Nov 2012, Damien Miller wrote:

> Here's a (lightly tested) patch for PKCS#11 host keys. At the moment, the
> keys are loaded using a fixed PIN of 0000, but there's probably a better
> way to do it. I don't really want sshd to block at startup time while looking
> for a password, but my PKCS#15-fu isn't good enough to know how to create
> keys that don't require a PIN at all.

Thinking about it some more, I've come to the conclusion that this patch
is insufficient because it offers no way to select which keys from the
token will end up as SSH hostkeys. An administrator who has gone to the
trouble of setting up some sort of token for the storage of SSH keys may
well want to use it with independent keys for other purposes (e.g. TLS keys).

So we need some way of selecting keys from the token for use. I don't like
doing it via reader ID / slot, as readers on USB busses can move around -
IMO it's safer to explicitly specify the public key. Perhaps like:

HostKeyPKCS11 /path/to/ /path/to/

Which would load only the key specified by from the token.

What do you think?


More information about the openssh-unix-dev mailing list