Created attachment 3442 [details] Logs that shows detailed output of each command with cryptoki log and dmesg. Steps to Reproduce: 1.Install OpenSSH 2.Install SafeNet LunaClient and setup NTLS. 3.Generate Edward 25519 and RSA Key using SafeNet ckdemo utility. 4.Run below commands: a.)eval `ssh-agent -P "/usr/safenet/lunaclient/lib/*" -s` b.)ssh-add -s /usr/safenet/lunaclient/lib/libcklog2.so c.)ssh-add -l Actual Output: 2048 SHA256:r/7tkup1Bb76UDVgs5GDfTDvKpTVhhM0SWNY+Mja2Xg Generated RSA Public Key (RSA) Expected Output: Both RSA And Ed25519 key should be listed. 5.Create Ed25519 key using ssh-keygen command on HSM: ssh-keygen -t ed25519 -D /usr/safenet/lunaclient/lib/libcklog2.so Actual Output: Enter PIN for 'ranjan': skipping unsupported key type failed to fetch key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTt5YbM8CVbfAhjhu5QeQJ/P8To47dWjw2oeb2lRycZkW/UmgRdT+wd/i1nqwMaiPhNHW40ivI90ta2KFNGfx+hQAXgFn+UWpFeTDsHbvSCnO0vQh4s8EHPw89Fr4Sl9NXgTZNIbzEOjE7KiPy85zmoBY8rr06jhA4xK7ig3Bq6zkj9AoW/H+ph+F7v3uyeaJVqNbD3SjMbdf8kt9UAlQczHtKdaJm/akH5HlWa38+wDwQsTAnFvbSmiM6/nYcD8f5PA1/tCr5JdsrhhLplYIrfh3Xf/ZBAubYESKeOy1QNR3U4TXSklPVrkPPlx7qpynMS1emVgzen2Fonkga8V4t Generated RSA Public Key Expected Output:Ed25519 Key Should be generated
The support for Ed25519 keys is very fresh in PKCS #11 so not even all pksc11 libraries caught up. But as we have RSA and ECDSA, adding Ed25519 should not be that hard. I would like to have a look into that eventually.
Thanks Jakub. We have many customers who want to use ED25519,so can you please tell when we can expect the support for this will be avaiable?
OpenSSH won't implement this until we have some way to test, preferably both hardware and a software (softhsm or similar) target to test against.
(In reply to Damien Miller from comment #3) > OpenSSH won't implement this until we have some way to test, > preferably both hardware and a software (softhsm or similar) target > to test against. SoftHSM supports Ed25519 keys already [0] (with some follow-up fixes to match final PKCS #11 3.0 specs) and for OpenSC we have patches pending (tested with NitroKey with Gnuk applet) [1] so if anyone is interested to work on this, there are enough possibilities. [0] https://github.com/opendnssec/SoftHSMv2/pull/324 [1] https://github.com/OpenSC/OpenSC/pull/1960
We have several customers interested in ED25519 keys to use with SSH where the keys are generated on HSM. If you can provide support in OpenSSH then we can test and verify it on our end with HSM.
Hi,Is there any update on this?
No update - we still do not have an ability to test it ourselves. Offers to test it on our behalf are kind but unfortunately not practical for development.
(In reply to Damien Miller from comment #7) > No update - we still do not have an ability to test it ourselves. Whats wrong with the SoftHSM implementation I mentioned earlier?
ssh/guanlong_huang_rsa