[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
Jakub Jelen
jjelen at redhat.com
Mon Nov 21 19:05:23 AEDT 2016
On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
> Some HSM's such as Safenet Network HSM do not allow searching for keys
> unauthenticated. To support such devices provide a mechanism for users
> to provide a pin code that is always used to automatically log in to
> the HSM when using PKCS11.
>
> The pin code is read from a file specified by the environment variable
> SSH_PKCS11_PINFILE if it is set.
Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel
again? Wider implemenation would solve also other pains in PKCS#11
waters in OpenSSH (choosing single key from a card -- alternative to
IdentityFile, using p11kit, ...), though it would need some work to
implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest
priority. Though I am having a look into that.
[1] https://tools.ietf.org/html/rfc7512
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list