PKCS#11 URIs in OpenSSH
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Apr 25 03:37:40 AEST 2017
PKCS11 URI support is a very good thing to add.
I’d like the PRs separated – e.g., one for PKCS11 URI, and one for ALWAYS_AUTHENTICATE.
—
Regards,
Uri
On 4/24/17, 8:26 AM, "openssh-unix-dev on behalf of Jakub Jelen" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jjelen at redhat.com> wrote:
Hello all,
as PKCS#11 URI became standard (RFC 7512), it would be good to be able
to specify the keys using this notation in openssh.
So far I implemented the minimal subset of this standard allowing to
specify the URI for the ssh tool, in ssh_config and to work with
ssh-agent. It does not bring any new dependency, provides unit and
regress tests (while fixing agent-pkcs11 regress test).
The code is on github and ready for comments/reviews (some details will
need to be adjusted):
https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11
I will fill a bugzilla later. I would be grateful for your ideas,
comments or reviews for this feature.
Other useful parts of RFC, that could be implemented would be a way to
provide a PIN or a PIN source for the token, other ways of providing
module-path (module-name).
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170424/ee8bf94d/attachment.bin>
More information about the openssh-unix-dev
mailing list