[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

Juha-Matti Tapio jmtapio at ssh.com
Mon Nov 21 21:36:15 AEDT 2016

On Mon, Nov 21, 2016 at 09:05:23AM +0100, Jakub Jelen wrote:
> On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
> > Some HSM's such as Safenet Network HSM do not allow searching for keys
> > unauthenticated. To support such devices provide a mechanism for users
> > to provide a pin code that is always used to automatically log in to
> > the HSM when using PKCS11.
> > 
> > The pin code is read from a file specified by the environment variable
> > SSH_PKCS11_PINFILE if it is set.
> Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel
> again? Wider implemenation would solve also other pains in PKCS#11 waters in
> OpenSSH (choosing single key from a card -- alternative to IdentityFile,
> using p11kit, ...), though it would need some work to implement in OpenSSH,
> but as I can observe, PKCS#11 is not a biggest priority. Though I am having
> a look into that.

I think PKCS#11 URI support would be an excellent way to do it and
being able to choose the key would be a definite improvement. I
am not sure how much effort it would take but in principle I think it
would be the cleanest way to solve the issues.

More information about the openssh-unix-dev mailing list