PKCS#11 ECDSA support
Damien Miller
djm at mindrot.org
Mon Jan 21 16:36:47 AEDT 2019
On Mon, 21 Jan 2019, Damien Miller wrote:
> Hi,
>
> Markus Friedl has added PKCS#11 support for ECDSA keys to OpenSSH. It's
> available in OpenBSD and the portable version and includes a regress
> test against softhsm2.
>
> https://anongit.mindrot.org/openssh.git/commit/?id=93f02107 (and subsequent)
>
> I've used it successfully with a Yubikey 4 using RSA2048, ECCP256 and
> ECCP384 keys.
BTW, here is the script that I used to set up the keys in my Yubikey 4.
AFAIK only slot "9a" works for SSH authentication.
If you're gullible enough to take advice on how to configure a token
from me, then you should also at least first reset the PIN/PUK/management
keys from their defaults as described at
https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
-d
-------------- next part --------------
#!/bin/sh
SLOT=9a
#ALG=RSA2048
#ALG=ECCP256
ALG=ECCP384
NOW=$(date "+%Y%m%dT%H%M%S")
PUBKEY=$HOME/yubikey-$SLOT-$ALG-$NOW.pem
SUBJECT="/CN=djm portable y4/"
DAYS=3560
set -xe
ykman piv generate-key \
-a $ALG \
--pin-policy=ONCE \
--touch-policy=CACHED \
$SLOT $PUBKEY
ykman piv generate-certificate -s "$SUBJECT" -d $DAYS $SLOT $PUBKEY
More information about the openssh-unix-dev
mailing list