This is a multi-part message in MIME format.
--------------010906080601050102080201
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Dan C wrote:
> Thanks for your quick reply.
>
> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote:
>
>>Dan C wrote:
>>
>>>On Mon, Nov 14, 2005 at 09:54:46AM +0200, Alon Bar-Lev wrote:
>>>Unfortunately I'm unable to use the OpenSC PKCS#11 provider as desired
>>>with my card, as the manufacturer (Aladdin's eToken) does not use a
>>>compliant layout. They have however recently developed their own
>>>proprietary PKCS#11 module, so obviously I'm keen for OpenSSH PKCS#11
>>>support.

>>
>>But I heard of success in using eToken with OpenSC and
>>PKCS#11 provider...
>>Maybe you want to use the same content in Windows and
>>Linux... Then I agree that it is not possible...

>
>
> Yeah, that's correct.
>
> Previously I've been using a seperate card initialized with OpenSC's
> pkcs15-init. But with Aladdin's upcoming PKCS#11 module, it would be
> nice to consolidate all of my key usage onto one card.
>
>
>>>I suspect that I'm not actually using your patch as intended though.
>>>Should I still be able to, as previously with OpenSC - generate a self
>>>signed certifcate with my existing RSA private key, import the pair to
>>>my card and then reference the private key to log into my legacy SSH
>>>hosts?

>>
>>Well... You need the X.509 patch for your host... I think
>>that smartcards should be used with X.509... I have a
>>discussion regarding this issue with OpenSSH developers...
>>
>>http://marc.theaimsgroup.com/?l=open...6115818802&w=2
>>
>>Roumen Petrov does not support self-signed certificate in
>>his X.509 patch implementation... I've asked him to... He is
>>thinking on it....
>>
>>So if you can use a certificate which is not self-signed...
>>It would be the best... Until things will clear up.

>
>
> Ah, I see - then I haven't been using it as intended. The existing
> OpenSC support allows you to reference a private RSA key and a public
> key in the form of a certificate generated against the private key (to
> humour the smartcard structure), in order to authenticate against
> standard SSH2 public-key hosts. No patching of remote hosts or amending
> authorized_keys files.
>
> I agree with your reasoning for x509 over raw RSA support. But I think a
> replacement of the existing OpenSC support would need to still handle
> raw RSA. It would be invaluable for people with existing SSH2 PKI
> environments.
>
> Regards,
> Dan
>


Hello,

Attached is an update to the PKCS#11 patch. It can now be
applied as standalone without X.509 patch, but is X.509
patch aware.

A valid X.509 certificate must still exist on the token, but
without X.509 support it is exported as regular RSA key.

There is a nice utility Timo Felbinger wrote
(http://www.timof.qipc.org/x509toOpenSSH.c) that extracts
ssh public key from X.509 certificate.

If you like X.509 support apply the X.509 patch *AFTER* the
PKCS#11 patch. There are minor rejects that can be easily
corrected by:
$ autoreconf -i -v

The new patch also supports self-signed certificates. If it
finds one it treats it as RSA key and not as X.509 RSA key,
Roumen, I think this should be the default behavior of the
X.509 patch.

Waiting to receive many more comments...

Best Regards,
Alon Bar-Lev.

--------------010906080601050102080201
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev

--------------010906080601050102080201--