[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Nov 22 01:05:59 AEDT 2016
+1
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
Original Message
From: Jakub Jelen
Sent: Monday, November 21, 2016 03:07
To: Juha-Matti Tapio; openssh-unix-dev at mindrot.org
Subject: Re: [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
> Some HSM's such as Safenet Network HSM do not allow searching for keys
> unauthenticated. To support such devices provide a mechanism for users
> to provide a pin code that is always used to automatically log in to
> the HSM when using PKCS11.
>
> The pin code is read from a file specified by the environment variable
> SSH_PKCS11_PINFILE if it is set.
Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel
again? Wider implemenation would solve also other pains in PKCS#11
waters in OpenSSH (choosing single key from a card -- alternative to
IdentityFile, using p11kit, ...), though it would need some work to
implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest
priority. Though I am having a look into that.
[1] https://tools.ietf.org/html/rfc7512
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161121/d2778133/attachment.bin>
More information about the openssh-unix-dev
mailing list