[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Nov 22 01:05:59 AEDT 2016


Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Jakub Jelen
Sent: Monday, November 21, 2016 03:07
To: Juha-Matti Tapio; openssh-unix-dev at mindrot.org
Subject: Re: [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

On 11/16/2016 10:31 AM, Juha-Matti Tapio wrote:
> Some HSM's such as Safenet Network HSM do not allow searching for keys
> unauthenticated. To support such devices provide a mechanism for users
> to provide a pin code that is always used to automatically log in to
> the HSM when using PKCS11.
> The pin code is read from a file specified by the environment variable
> SSH_PKCS11_PINFILE if it is set.
Don't we have PKCS#11 URI [1] to handle this? Without re-inventing wheel 
again? Wider implemenation would solve also other pains in PKCS#11 
waters in OpenSSH (choosing single key from a card -- alternative to 
IdentityFile, using p11kit, ...), though it would need some work to 
implement in OpenSSH, but as I can observe, PKCS#11 is not a biggest 
priority. Though I am having a look into that.

[1] https://tools.ietf.org/html/rfc7512


Jakub Jelen
Software Engineer
Security Technologies
Red Hat

openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161121/d2778133/attachment.bin>

More information about the openssh-unix-dev mailing list