PKCS#11 ECDSA support

Damien Miller djm at
Mon Jan 21 16:36:47 AEDT 2019

On Mon, 21 Jan 2019, Damien Miller wrote:

> Hi,
> Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's
> available in OpenBSD and the portable version and includes a regress
> test against softhsm2.
> (and subsequent)
> I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and
> ECCP384 keys.

BTW, here is the script that I used to set up the keys in my Yubikey 4.
AFAIK only slot "9a" works for SSH authentication.

If you're gullible enough to take advice on how to configure a token
from me, then you should also at least first reset the PIN/PUK/management
keys from their defaults as described at

-------------- next part --------------



NOW=$(date "+%Y%m%dT%H%M%S")
SUBJECT="/CN=djm portable y4/"

set -xe

ykman piv generate-key \
	-a $ALG \
	--pin-policy=ONCE \
	--touch-policy=CACHED \
ykman piv generate-certificate -s "$SUBJECT" -d $DAYS $SLOT $PUBKEY

More information about the openssh-unix-dev mailing list