PKCS#11 URIs in OpenSSH

Jakub Jelen jjelen at redhat.com
Tue Jun 13 23:04:51 AEST 2017


On 04/24/2017 02:26 PM, Jakub Jelen wrote:
> Hello all,
> as PKCS#11 URI became standard (RFC 7512), it would be good to be able 
> to specify the keys using this notation in openssh.
> 
> So far I implemented the minimal subset of this standard allowing to 
> specify the URI for the ssh tool, in ssh_config and to work with 
> ssh-agent. It does not bring any new dependency, provides unit and 
> regress tests (while fixing agent-pkcs11 regress test).
> 
> The code is on github and ready for comments/reviews (some details will 
> need to be adjusted):
> 
> https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 
> 
> 
> I will fill a bugzilla later. I would be grateful for your ideas, 
> comments or reviews for this feature.
> 
> Other useful parts of RFC, that could be implemented would be a way to 
> provide a PIN or a PIN source for the token, other ways of providing 
> module-path (module-name).
> 
> Regards,

Hello all,
I fixed one issue and added a configure option to pick up default 
p11-kit-proxy path from pkg-config instead of hardcoded value.

https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11

Did anyone had a time to review this change? Are you interested in this 
feature?

Regards,

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat


More information about the openssh-unix-dev mailing list