PKCS#11 URIs in OpenSSH

Jakub Jelen jjelen at
Tue Jun 13 23:04:51 AEST 2017

On 04/24/2017 02:26 PM, Jakub Jelen wrote:
> Hello all,
> as PKCS#11 URI became standard (RFC 7512), it would be good to be able 
> to specify the keys using this notation in openssh.
> So far I implemented the minimal subset of this standard allowing to 
> specify the URI for the ssh tool, in ssh_config and to work with 
> ssh-agent. It does not bring any new dependency, provides unit and 
> regress tests (while fixing agent-pkcs11 regress test).
> The code is on github and ready for comments/reviews (some details will 
> need to be adjusted):
> I will fill a bugzilla later. I would be grateful for your ideas, 
> comments or reviews for this feature.
> Other useful parts of RFC, that could be implemented would be a way to 
> provide a PIN or a PIN source for the token, other ways of providing 
> module-path (module-name).
> Regards,

Hello all,
I fixed one issue and added a configure option to pick up default 
p11-kit-proxy path from pkg-config instead of hardcoded value.

Did anyone had a time to review this change? Are you interested in this 


Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list