This is a discussion on Re: PKCS#11 support for openssh - openssh ; Dan C wrote: > Alon, that's great - thank you for the update. It works perfectly in > keeping with the old OpenSC support, but with the added flexibility of > being able to use _any_ available PKCS#11 provider. A ...
Dan C wrote:
> Alon, that's great - thank you for the update. It works perfectly in
> keeping with the old OpenSC support, but with the added flexibility of
> being able to use _any_ available PKCS#11 provider. A good improvement I
> My only remaining thoughts echo that of Andreas's, in that it would be
> useful to have "direct" ssh(1) support. For both the ease of being able
> to choose ie. "ssh -I0
" when you wish, as well as being able to
> hardset options to use card auth for specified hosts in ssh_config(5).
> Please feel free to pass my comments on to the list/Roumen/Andreas and
> by all means throw any further testing my way.
I am glad that all works!
I agree that there should be a simple way to use ssh with
smartcard support... But I don't like current implementation
in which the code is written twice, once for the agent and
second for the ssh.
I think that ssh should always use the agent, and if not
available execute it (Or convert the agent to a library).
Then ssh can read the config file and add identities as if
the agent is external. This way the private key handling
will be implemented in one place....
When I get some kind of positive response from the openssh
developers, I will discuses what the user interface of the
PKCS#11 support should be and implement a more friendly
openssh-unix-dev mailing list