This is a discussion on Re: PKCS#11 support for openssh - openssh ; This is a multi-part message in MIME format. --------------010906080601050102080201 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Dan C wrote: > Thanks for your quick reply. > > On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote: > >>Dan C ...
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dan C wrote:
> Thanks for your quick reply.
> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote:
>>Dan C wrote:
>>>On Mon, Nov 14, 2005 at 09:54:46AM +0200, Alon Bar-Lev wrote:
>>>Unfortunately I'm unable to use the OpenSC PKCS#11 provider as desired
>>>with my card, as the manufacturer (Aladdin's eToken) does not use a
>>>compliant layout. They have however recently developed their own
>>>proprietary PKCS#11 module, so obviously I'm keen for OpenSSH PKCS#11
>>But I heard of success in using eToken with OpenSC and
>>Maybe you want to use the same content in Windows and
>>Linux... Then I agree that it is not possible...
> Yeah, that's correct.
> Previously I've been using a seperate card initialized with OpenSC's
> pkcs15-init. But with Aladdin's upcoming PKCS#11 module, it would be
> nice to consolidate all of my key usage onto one card.
>>>I suspect that I'm not actually using your patch as intended though.
>>>Should I still be able to, as previously with OpenSC - generate a self
>>>signed certifcate with my existing RSA private key, import the pair to
>>>my card and then reference the private key to log into my legacy SSH
>>Well... You need the X.509 patch for your host... I think
>>that smartcards should be used with X.509... I have a
>>discussion regarding this issue with OpenSSH developers...
>>Roumen Petrov does not support self-signed certificate in
>>his X.509 patch implementation... I've asked him to... He is
>>thinking on it....
>>So if you can use a certificate which is not self-signed...
>>It would be the best... Until things will clear up.
> Ah, I see - then I haven't been using it as intended. The existing
> OpenSC support allows you to reference a private RSA key and a public
> key in the form of a certificate generated against the private key (to
> humour the smartcard structure), in order to authenticate against
> standard SSH2 public-key hosts. No patching of remote hosts or amending
> authorized_keys files.
> I agree with your reasoning for x509 over raw RSA support. But I think a
> replacement of the existing OpenSC support would need to still handle
> raw RSA. It would be invaluable for people with existing SSH2 PKI
Attached is an update to the PKCS#11 patch. It can now be
applied as standalone without X.509 patch, but is X.509
A valid X.509 certificate must still exist on the token, but
without X.509 support it is exported as regular RSA key.
There is a nice utility Timo Felbinger wrote
(http://www.timof.qipc.org/x509toOpenSSH.c) that extracts
ssh public key from X.509 certificate.
If you like X.509 support apply the X.509 patch *AFTER* the
PKCS#11 patch. There are minor rejects that can be easily
$ autoreconf -i -v
The new patch also supports self-signed certificates. If it
finds one it treats it as RSA key and not as X.509 RSA key,
Roumen, I think this should be the default behavior of the
Waiting to receive many more comments...
Content-Type: text/plain; charset="us-ascii"
openssh-unix-dev mailing list