[ssh_x509] HostKey via engine?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Nov 23 01:29:12 EET 2012

ssh_x509 at roumenpetrov.info wrote:
> Hi,
> Is it possible to store the HostKey on hardware and access it via an openssl
> engine?
Not yet. Currently only client could use keys in engine.
> I did a simple test with the configuration:
>    HostKey engine:spyrus:2
Ok . I will update man pages for client/server configuration to details 
that only engine work only for user identify.

> where spyrus is an openssl engine for Spyrus Lynks that works fine for
> clients.
Ok . But to use an openssl engine with X.509 certificates, engine should 
support non-standard commands.

> But sshd gives this output:
> debug1: could not open key file
> '/home/ssi/test-spyrus/spyrus-user/server/engine:spyrus:2': No such file or
> directory
> Could not load host key:
> /home/ssi/test-spyrus/spyrus-user/server/engine:spyrus:2
> Disabling protocol version 2. Could not load host key
> sshd: no hostkeys available -- exiting.
> So my impression is that the engine syntax is not supported here.  Is there an
> alternative approach?
Currently openssh host keys are unprotected. This is one of reasons do 
not support yet engine to access secure devices.

> Thanks,
> Andrew


Get X.509 certificates support in OpenSSH:

More information about the ssh_x509 mailing list