This is a multi-part message in MIME format.
--------------000405050606090301040607
Content-Type: text/plain; charset=ISO-8859-8-I; format=flowed
Content-Transfer-Encoding: 7bit

Hello All,

As I promised, I've completed and initial patch for openssh
PKCS#11 support. The same framework is used also by openvpn.
I want to help everyone who assisted during development.

This patch is based on the X.509 patch from
http://roumenpetrov.info/openssh/ written by Rumen Petrov,
supporting PKCS#11 without X.509 looks like a bad idea.

*So the first question is: What is the merge status of
Ruman's patch?*

The PKCS#11 patch modify ssh-add and ssh-agent to support
PKCS#11 private keys and certificates.

It allows using multiple PKCS#11 providers at the same time,
selecting keys by id, label or certificate subject, handling
card removal and card insert events, supports card insert to
a different slot, handling session expiration.

One significant change is that the ssh-agent prompts for
passwords now... So you need to configure it with a program
that asks for PIN, a program such as x11-ssh-askpass.
Current implementation (ssh-add asks for passwords) is not
valid for dynamic smartcard environment.

*So the second question is whether this approach of handling
passwords is valid for merge?*

Current implementation uses the askpin program also for
promoting card insert... Don't be confused, it only expects
ok or cancel. If we continue in merge I will also allow
select a different program for card prompt.

A common scenario is the following:

$ ssh-agent xterm ->

$ ssh-add --pkcs11-ask-pin `which x11-ssh-askpass`

$ ssh-add --pkcs11-add-provider --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so

$ ssh-add --pkcs11-add-id --pkcs11-slot-type label
--pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id
"/C=XX/CN=YY"

$ ssh myhost

In order to see available object, you can use:

$ ssh-add --pkcs11-show-slots --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so

Opensc users should add: --pkcs11-sign-mode sign

$ ssh-add --pkcs11-show-objects --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0

Look at ssh-add for more options.

If this patch is finally accepted, I believe that all opensc
code can be removed from all components of openssh, and
simply use the opensc PKCS#11 provider.

Some general comments
1. I think that ssh-add should be cleaned up, and support
arguments properly, the openbsd-compact does not getopt_long.

2, I think that it is best that ssh-agent have a
configuration file, so that static configurations may be
provided, also ssh-agent lacks logging in none debugging
mode, this should also be corrected.

3. I don't support reader plug&play for now... Since PKCS#11
does not support it. It can be supported on the price of
invalidating all open sessions.

Looking forward to receive any comments,

Best Regards,
Alon Bar-Lev.

--------------000405050606090301040607
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev

--------------000405050606090301040607--