[Bug 1371] New: Add PKCS#11 (Smartcards) support into OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 29 23:29:28 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1371

           Summary: Add PKCS#11 (Smartcards) support into OpenSSH
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: All
               URL: http://alon.barlev.googlepages.com/openssh-pkcs11
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Smartcard
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: alon.barlev at gmail.com


Hello,

PKCS#11 is a standard API interface that can be used in 
order to access cryptographic tokens. You can find the 
specification at 
http://www.rsasecurity.com/rsalabs/node.asp?id=2133, most 
smartcard and other cryptographic device vendors support 
PKCS#11, opensc also provides PKCS#11 interface. 

PKCS#11 is much more portable, standard, used standard than 
the current opensc implementation. 

The implementation is much cleaner than current smartcard support as it
handles the passpharse correctly (card remove/insert), it also much
easier to use as it allow adding specific keys to the agent and much
more, please see:
http://alon.barlev.googlepages.com/openssh-pkcs11

Many users already use this patch, with many different smartcards'
providers.

I believe that a security product without decent smartcard support
loses much of its target.

Please consider to merge.
I will be glad to work with you in order to make it better and more
usable.

Some references:
2005-10-04: http://www.gossamer-threads.com/lists/openssh/dev/29448
2005-11-01: http://www.gossamer-threads.com/lists/openssh/dev/29599
2007-09-24: http://www.gossamer-threads.com/lists/openssh/dev/40662

In order to merge it cleanly, we should also discuss a modification 
for the agent protocol. As smartcards are dynamic in nature, there 
should be an option for the agent to ask the caller to provide 
information, for example "Insert token <xxx>" or "Please enter 
passphrase for token <xxx>". Current implementation does not modify 
the agent protocol but execute dialog from within the agent. 

Thanks!


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list