PKCS#11 URIs in OpenSSH
jjelen at redhat.com
Wed Sep 13 23:00:59 AEST 2017
On Mon, 2017-04-24 at 14:26 +0200, Jakub Jelen wrote:
> Hello all,
> as PKCS#11 URI became standard (RFC 7512), it would be good to be
> to specify the keys using this notation in openssh.
> So far I implemented the minimal subset of this standard allowing to
> specify the URI for the ssh tool, in ssh_config and to work with
> ssh-agent. It does not bring any new dependency, provides unit and
> regress tests (while fixing agent-pkcs11 regress test).
> The code is on github and ready for comments/reviews (some details
> need to be adjusted):
> I will fill a bugzilla later. I would be grateful for your ideas,
> comments or reviews for this feature.
> Other useful parts of RFC, that could be implemented would be a way
> provide a PIN or a PIN source for the token, other ways of providing
> module-path (module-name).
The commit-set was updated with resolved issues reported by other users
and made compatible with OpenSSL 1.1.0 to be able top build on my
At this time, it is probably the only way how we can instruct OpenSSH
to use only a specific key from the PKCS#11 module instead of sending
all the keys to the server.
Feel free to comment or propose improvements. It also opens a way for
more improvements in the PKCS#11 support, which I am willing to help
too, if there would be interest (ECDSA #2474).
Red Hat, Inc.
More information about the openssh-unix-dev