Enhanced SSH Security: HSM and PIV Device Authentication for Discoverer and Discoverer+ Login Nodes

Enhanced SSH Security: HSM and PIV Device Authentication for Discoverer and Discoverer+ Login Nodes

We’re excited to announce comprehensive documentation for enabling HSM and PIV device SSH authentication for Discoverer and Discoverer+ login nodes.

Our new guide enables users to leverage their existing state and EU-issued HSM and PIV devices (smart cards) for SSH authentication on Discoverer login nodes. Instead of generating new SSH keys, users can now use the cryptographic tokens they already possess from state and EU-recognized PKI certificate authorities for secure access to our computing infrastructure. Moreover, this way, the SSH keys are kept in a protected memory and never leave the device memory when they are utilised.

Key Features:

Enhanced Security: Private keys remain protected in HSM/PIV device memory, never exposed to system memory

Privacy Protection: Only public keys are exchanged for authentication – no X.509v3 metadata is processed

Multi-Platform Support: Comprehensive instructions for Linux and macOS users

Two Implementation Paths:

  • – EU-recognized PKI certificate authority devices
  • – User-owned PKCS#11 HSM/PIV devices

The document covers everything from device selection and software installation to key generation, import procedures, and SSH client configuration. Users can choose between generating new keys directly on devices or importing existing SSH keys using advanced techniques like DKEK (Device Key Encryption Key) and Wrap keys.

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Appliance - Powered by TurnKey Linux