[PATCH] sshd: Add pkcs11 support for HostKey.
Maxime Rey
maximejeanrey at gmail.com
Mon Sep 23 17:27:09 AEST 2024
Hello,
OpenSSH supports PKCS#11 on the client side, but that does not extend to
the server side. I would like to bring PKCS#11 support to sshd.
I am working on embedded Linux systems with integrated HSM. The sshd
host key is stored on the HSM. To have sshd using that key, we rely on
the following chain:
sshd -> OpenSSL -> OpenSSL Engine -> HSM Having
PKCS#11 support in sshd, would reduce it to:
sshd -> PKCS#11 Library -> HSM
This patch extends sshd so that HostKeys can also be PKCS#11 URIs, as
defined by the RFC 7512[1]. Those URIs are parsed using p11-kit[2], that
is added as an optional dependency to OpenSSH. If that is a
show-stopper, URIs could also be parsed directly in OpenSSH but that
would involve lengthy parsing functions. One can then have a
configuration that looks like:
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey pkcs11:object=ssh_host_rsa_key?module-path=/usr/lib/my-pkcs11.so
The rest of the patch relies on the existing infrastructure for dealing
with PKCS#11 that is already used in the client, ssh-agent and so on.
Follow-up could extend sshd PKCS#11 support to the Diffie-Hellman key
exchange and random number generation.
Any feedback is welcomed :)
Thank you for your time and consideration.
Best regards,
Maxime Rey
[1]: https://www.rfc-editor.org/rfc/rfc7512.html
[2]: https://p11-glue.github.io/p11-glue/p11-kit.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-sshd-Add-pkcs11-support-for-HostKey.patch
Type: text/x-diff
Size: 24848 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240923/97296c39/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list