Ssh-agent-pkcs11 Alternatives
Similar projects and alternatives to ssh-agent-pkcs11
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
cargo-crev
A cryptographically verifiable code review system for the cargo (Rust) package manager.
-
-
rage
A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
whoami.filippo.io
A ssh server that knows who you are. $ ssh whoami.filippo.io
-
-
stakesign
Sign files via blockchain + put your money where your mouth is
-
yubage
`age-plugin-yubikey` implementation, encrypt things with a Yubikey/any PIV card
ssh-agent-pkcs11 reviews and mentions
-
It's Now Possible to Sign Arbitrary Data with Your SSH Keys
It hasn't been able to do it in a meaningful way.
I've been patching support for this into ssh-agent for about a decade. I wrote a PKCS#11 module which talks to the SSH agent socket to forward your smartcard [0]. Doing so requires three changes to the protocol:
1. The ability to sign arbitrary data and get back the signed result [1]; normally you get back a hashed result [2].
2. The ability to decrypt data, this is what you said. This is less important since many things only require signatures (and not all algorithms support encryption/decryption).
3. The ability to request your certificates [3] [4] this one is kinda obvious.
The benefits of this are that you can use your smartcard on the remote host to do fully authenticated password-less sudo with pam_pkcs11. You can also do anything else that requires you to use your private key to be used, which can include fetching files (TLS client certificate authentication).
Within the US Government, passwords have been being phased out since 2004, but the requirements for authenticated privilege elevation remain.
Another way to accomplish this is to use SSH forwarding of your PC/SC socket but that's less portable and more fragile (and even less secure).
[0] https://github.com/rkeene/ssh-agent-pkcs11
[1] https://cackey.rkeene.org/fossil/artifact/0d0e90bbfdee672c?l...
[2] https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent...
[3] https://cackey.rkeene.org/fossil/artifact/0d0e90bbfdee672c?l...
[4] https://datatracker.ietf.org/doc/html/rfc6187#section-2.1
Stats
The primary programming language of ssh-agent-pkcs11 is C.