[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Jun 29 18:25:24 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1371
--- Comment #50 from Damien Miller <djm at mindrot.org> 2008-06-29 18:25:21 ---
I don't think the protocol should be modified to accept a tty channel.
The SSH agent protocol allows for forwarded operation though hosts that
may not be completely trustworthy. Passing a pin though for frequent
operations like listing identities or private key operations increases
the likelihood that is will be exposed.
Better IMO to cache the pin in the agent at the time the key is added -
this is what the existing smartcard support does. Caching the pin in
the agent is no additional security risk - if the agent host were
compromised then an attacker could just as easily steal the pin when it
was used.
As for other protocol extensions - please keep it simple for now. Part
of the difficulty with merging the existing pkcs#11 patch is that it
touches much more than it strictly needs to. Better to start simple and
add features based on clear need.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list