[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Jun 29 03:32:57 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=1371





--- Comment #47 from Alon Bar-Lev <alon.barlev at gmail.com>  2008-06-29 03:32:51 ---
I am not sure I understand what you are doing. But I do understand that
I and users are going to miss another merge window.

You left the current *SMARTCARD calls to the agent, while if you truly
wish to provide a way for people to add new agents you need to abstract
the agent, and leave only relevant required messages.

Also there is the issue of providing the agent with some variables,
such as active tty. I thought you are going to address this.

Imaging you going to split up the ssh-agent (and ssh-add) into separate
package. And review the protocol using this assumption. Calls made by
ssh-add may be agent specific and should not be documented here.

However, if you are going to keep current smartcard parameters in ssh
command-line, the smartcard commands should be documented, but I will
never be able to provide users with the same level of solution in agent
only implementation.

For example... Adding a new command of "set property" and add ssh
configuration option "AgentProperty". Then users will be able to enter
something like:

ssh -o AgentProperty=smartcard-key:reader_id,pin,key_constraints host

[or adding this to ssh_config]

This will allow external implementation to work without modifying the
protocol, for example:

ssh -o AgentProperty=pkcs11-add-provider:provider host

And also solve the tty issue simply as tty= attribute may automatically
be set by all utilities.

I think that merging PKCS#11 patches provides the best solution until
the agent implementation may truly be separated.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list