This is a discussion on Re: PKCS#11 support for openssh - openssh ; Alon, you should improve security of code. I already sent some notes offlist. Alon Bar-Lev wrote: > Dan C wrote: > >> Thanks for your quick reply. >> >> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote: ...
you should improve security of code. I already sent some notes offlist.
Alon Bar-Lev wrote:
> Dan C wrote:
>> Thanks for your quick reply.
>> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote:
>>> Dan C wrote:
>>>> On Mon, Nov 14, 2005 at 09:54:46AM +0200, Alon Bar-Lev wrote:
>>>> Unfortunately I'm unable to use the OpenSC PKCS#11 provider as desired
>>>> with my card, as the manufacturer (Aladdin's eToken) does not use a
>>>> compliant layout. They have however recently developed their own
>>>> proprietary PKCS#11 module, so obviously I'm keen for OpenSSH PKCS#11
>>> But I heard of success in using eToken with OpenSC and PKCS#11
>>> Maybe you want to use the same content in Windows and Linux... Then I
>>> agree that it is not possible...
>> Yeah, that's correct.
>> Previously I've been using a seperate card initialized with OpenSC's
>> pkcs15-init. But with Aladdin's upcoming PKCS#11 module, it would be
>> nice to consolidate all of my key usage onto one card.
>>>> I suspect that I'm not actually using your patch as intended though.
>>>> Should I still be able to, as previously with OpenSC - generate a self
>>>> signed certifcate with my existing RSA private key, import the pair to
>>>> my card and then reference the private key to log into my legacy SSH
>>> Well... You need the X.509 patch for your host... I think that
>>> smartcards should be used with X.509... I have a discussion regarding
>>> this issue with OpenSSH developers...
>>> Roumen Petrov does not support self-signed certificate in his X.509
>>> patch implementation... I've asked him to... He is thinking on it....
>>> So if you can use a certificate which is not self-signed... It would
>>> be the best... Until things will clear up.
>> Ah, I see - then I haven't been using it as intended. The existing
>> OpenSC support allows you to reference a private RSA key and a public
>> key in the form of a certificate generated against the private key (to
>> humour the smartcard structure), in order to authenticate against
>> standard SSH2 public-key hosts. No patching of remote hosts or amending
>> authorized_keys files.
>> I agree with your reasoning for x509 over raw RSA support. But I think a
>> replacement of the existing OpenSC support would need to still handle
>> raw RSA. It would be invaluable for people with existing SSH2 PKI
> Attached is an update to the PKCS#11 patch. It can now be applied as
> standalone without X.509 patch, but is X.509 patch aware.
> A valid X.509 certificate must still exist on the token, but without
> X.509 support it is exported as regular RSA key.
> There is a nice utility Timo Felbinger wrote
> (http://www.timof.qipc.org/x509toOpenSSH.c) that extracts ssh public key
> from X.509 certificate.
> If you like X.509 support apply the X.509 patch *AFTER* the PKCS#11
> patch. There are minor rejects that can be easily corrected by:
> $ autoreconf -i -v
> The new patch also supports self-signed certificates. If it finds one it
> treats it as RSA key and not as X.509 RSA key, Roumen, I think this
> should be the default behavior of the X.509 patch.
> Waiting to receive many more comments...
> Best Regards,
> Alon Bar-Lev.
openssh-unix-dev mailing list