[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

Jakub Jelen jjelen at redhat.com
Mon Nov 21 19:05:23 AEDT 2016

On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
> Some HSM's such as Safenet Network HSM do not allow searching for keys
> unauthenticated. To support such devices provide a mechanism for users
> to provide a pin code that is always used to automatically log in to
> the HSM when using PKCS11.
> The pin code is read from a file specified by the environment variable
> SSH_PKCS11_PINFILE if it is set.
Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel 
again? Wider implemenation would solve also other pains in PKCS#11 
waters in OpenSSH (choosing single key from a card -- alternative to 
IdentityFile, using p11kit, ...), though it would need some work to 
implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest 
priority. Though I am having a look into that.

[1] https://tools.ietf.org/html/rfc7512


Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list