HostKey in hardware?
Damien Miller
djm at mindrot.org
Fri Dec 14 16:23:50 EST 2012
On Wed, 12 Dec 2012, andrew cooke wrote:
>
> Hi,
>
> I have a client interested in using this patch and would appreciate help +
> advice on the best way to move forwards.
>
> My impression is that you're still thinking about the details (PIN etc) and so
> this is not in trunk? And even if it were in trunk, it wuld be for the
> FreeBSD reopo, which would then need porting (client on CentOS)? I imagine
> that's too far away to guesstimate a timeline?
I'm looking into rewriting it to use ssh-agent in sshd for keys rather than
loading PKCS#11 providers directly. I'd like to get this done before the
6.2 release due early next year, but I can't promise anything.
> So I guess that the only thing I can offer my client now is to move the patch
> you provided across to CentOS myself and give them a custom patch / openssh
> source.
Yes.
> Apart from the maintenance issues that would imply (which my client can worry
> about), what is your opinion of this approach (my client is already reading
> this thread)? The change seemed fairly simple to me, but I am no expert.
It's up to you and your client to qualify any change. Personally, I'd be
comfortable running that patch if my host had only a single token with a
single key attached.
-d
More information about the openssh-unix-dev
mailing list