On Thu, 2017-01-12 at 16:43 +0100, David Woodhouse wrote:
On Thu, 2017-01-12 at 07:40 -0800, James Bottomley wrote:On Thu, 2017-01-12 at 13:06 +0100, Stef Walter wrote:The thing is we'd like to get out of the business of doing SSH stuff in gnome-keyring itself: https://bugzilla.gnome.org/show_bug.cgi?id=775981 If the above were implemented would it solve your use case?Not really. Unfortunately ssh-agent doesn't have a back end store, so it insists on having the private keys passed in by ssh-add (which ssh agent does by the component primes). This basically makes ssh-agent incompatible with any hardware based key. That's not to say it can't be fixed, but the reason gnome-keyring was the number one target for this is because the architecture makes it easy.But ssh-agent does support PKCS#11, so it *can* cope with the concept of calling an external API and not actually having the component primes locally...
Well, reading the code made my eyes bleed. Openssh uses openssl, but for pkcs11 instead of using the engine code, it basically hijacks the EVP_PKEY and installs its own private pkcs11 methods. My first thought was "well if it does that, why not simply expand ssh-agent to use any ssl engine" and the second was "that's a lot of effort" ... it's like we have all these crypto using tools, but they either didn't like or didn't understand the generic ways of doing stuff, so they all installed their own separate (but usually different) hacks for a specific purpose. James
Attachment:
smime.p7s
Description: S/MIME cryptographic signature