[Bug 1371] New: Add PKCS#11 (Smartcards) support into OpenSSH
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 29 23:29:28 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1371
Summary: Add PKCS#11 (Smartcards) support into OpenSSH
Product: Portable OpenSSH
Version: 4.7p1
Platform: All
URL: http://alon.barlev.googlepages.com/openssh-pkcs11
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Smartcard
AssignedTo: bitbucket at mindrot.org
ReportedBy: alon.barlev at gmail.com
Hello,
PKCS#11 is a standard API interface that can be used in
order to access cryptographic tokens. You can find the
specification at
http://www.rsasecurity.com/rsalabs/node.asp?id=2133, most
smartcard and other cryptographic device vendors support
PKCS#11, opensc also provides PKCS#11 interface.
PKCS#11 is much more portable, standard, used standard than
the current opensc implementation.
The implementation is much cleaner than current smartcard support as it
handles the passpharse correctly (card remove/insert), it also much
easier to use as it allow adding specific keys to the agent and much
more, please see:
http://alon.barlev.googlepages.com/openssh-pkcs11
Many users already use this patch, with many different smartcards'
providers.
I believe that a security product without decent smartcard support
loses much of its target.
Please consider to merge.
I will be glad to work with you in order to make it better and more
usable.
Some references:
2005-10-04: http://www.gossamer-threads.com/lists/openssh/dev/29448
2005-11-01: http://www.gossamer-threads.com/lists/openssh/dev/29599
2007-09-24: http://www.gossamer-threads.com/lists/openssh/dev/40662
In order to merge it cleanly, we should also discuss a modification
for the agent protocol. As smartcards are dynamic in nature, there
should be an option for the agent to ask the caller to provide
information, for example "Insert token <xxx>" or "Please enter
passphrase for token <xxx>". Current implementation does not modify
the agent protocol but execute dialog from within the agent.
Thanks!
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list