This is a discussion on openssh PKCS#11 support - openssh ; This is a multi-part message in MIME format. --------------000405050606090301040607 Content-Type: text/plain; charset=ISO-8859-8-I; format=flowed Content-Transfer-Encoding: 7bit Hello All, As I promised, I've completed and initial patch for openssh PKCS#11 support. The same framework is used also by openvpn. I want to ...
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-8-I; format=flowed
As I promised, I've completed and initial patch for openssh
PKCS#11 support. The same framework is used also by openvpn.
I want to help everyone who assisted during development.
This patch is based on the X.509 patch from
http://roumenpetrov.info/openssh/ written by Rumen Petrov,
supporting PKCS#11 without X.509 looks like a bad idea.
*So the first question is: What is the merge status of
The PKCS#11 patch modify ssh-add and ssh-agent to support
PKCS#11 private keys and certificates.
It allows using multiple PKCS#11 providers at the same time,
selecting keys by id, label or certificate subject, handling
card removal and card insert events, supports card insert to
a different slot, handling session expiration.
One significant change is that the ssh-agent prompts for
passwords now... So you need to configure it with a program
that asks for PIN, a program such as x11-ssh-askpass.
Current implementation (ssh-add asks for passwords) is not
valid for dynamic smartcard environment.
*So the second question is whether this approach of handling
passwords is valid for merge?*
Current implementation uses the askpin program also for
promoting card insert... Don't be confused, it only expects
ok or cancel. If we continue in merge I will also allow
select a different program for card prompt.
A common scenario is the following:
$ ssh-agent xterm ->
$ ssh-add --pkcs11-ask-pin `which x11-ssh-askpass`
$ ssh-add --pkcs11-add-provider --pkcs11-provider
$ ssh-add --pkcs11-add-id --pkcs11-slot-type label
--pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id
$ ssh myhost
In order to see available object, you can use:
$ ssh-add --pkcs11-show-slots --pkcs11-provider
Opensc users should add: --pkcs11-sign-mode sign
$ ssh-add --pkcs11-show-objects --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0
Look at ssh-add for more options.
If this patch is finally accepted, I believe that all opensc
code can be removed from all components of openssh, and
simply use the opensc PKCS#11 provider.
Some general comments
1. I think that ssh-add should be cleaned up, and support
arguments properly, the openbsd-compact does not getopt_long.
2, I think that it is best that ssh-agent have a
configuration file, so that static configurations may be
provided, also ssh-agent lacks logging in none debugging
mode, this should also be corrected.
3. I don't support reader plug&play for now... Since PKCS#11
does not support it. It can be supported on the price of
invalidating all open sessions.
Looking forward to receive any comments,
Content-Type: text/plain; charset="us-ascii"
openssh-unix-dev mailing list