Is OpenSC missing in OpenBSD?
If NitrokeyApp and OpenSC is used in Linux for Nitrokey initialization then
can Nitrokey still be used in OpenBSD for non-extractable SSH and GPG keys somehow?
Is there any software support in OpenBSD for Nitrokey Pro2?
It would be nice to combine NitrokeyPro2 with other devices like Nitrokey FIDO2 and even local post quantum key to generate a single hybrid (multiple factored) SSH session key. Modern SSH can support several different key pairs for a single session now by using:
According to Damien Miller (SSH developer):
this is pretty much possible now, by enabling the experimental support
for the XMSS PQ signature algorithm, specifying
and by setting the required public keys in authorized_keys.
Even post quantum algos can be combined with more established algos in hardware keys.
There’s no possibility of MITM for ssh clients that have learned the
host’s public key outside of a weakness in the host key signature
If the client is connecting for the first time and does not know the
server’s host key then MITM is trivial.
In a situation of MITM, it is not possible to steal use of the client’s
private keys for authentication against a real destination host unless
the client has forwarded their authentication agent.
I’m not sure what you mean here. If a server has its key compromised,
then it can be trivially MITMd.
It is not obvious for me, if server key is leaked then will the client notice a change of the fingerprint of the server key? Can fingerprint of the server key be forged if server’s private key is leaked?
Does your HSM help to keep server key? Does it work on OpenBSD? How does it work without manual pin-codes or other interaction? Why there are so few HSMs on the market? Actually I could not find any competitors except more advanced (and expensive) PCI express models from Utimaco.com, they have even post quantum models.