[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 30 03:53:02 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=1371





--- Comment #51 from Alon Bar-Lev <alon.barlev at gmail.com>  2008-06-30 03:52:57 ---

Hello,

(In reply to comment #50)
> I don't think the protocol should be modified to accept a tty channel.
> The SSH agent protocol allows for forwarded operation though hosts that
> may not be completely trustworthy. Passing a pin though for frequent
> operations like listing identities or private key operations increases
> the likelihood that is will be exposed. 

How do you propose solving the issue of console only mode without
touching the client? Currently the agentless mode is the only solution
for this one.

> Better IMO to cache the pin in the agent at the time the key is added -
> this is what the existing smartcard support does. Caching the pin in
> the agent is no additional security risk - if the agent host were
> compromised then an attacker could just as easily steal the pin when it
> was used.

Wrong.
Caching smartcard PIN is none standard, unexpected and unsecure. It is
part of the problem in current implementation. People implement
external patches to fix this behavior [1], [2].

Smartcard usage best practice forces re-authentication after smartcard
is powered off (removed and inserted), or when smartcard session
duration expires.

Also, implementation should allow re-authentication for each
application instance/type.

> As for other protocol extensions - please keep it simple for now. Part
> of the difficulty with merging the existing pkcs#11 patch is that it
> touches much more than it strictly needs to. Better to start simple and
> add features based on clear need.

I add all feature based on clear need. Hardware cryptography best
practices are different than software ones.

The PKCS#11 patch touches exactly the same locations of current
smartcard implementation, this in order to provide full replacement and
allow its removal in future. While adding support for expected behavior
of re-authentication and prompt the user to insert token if needed.

I will be more than happy to reduce the size of the patch! But I won't
compromise on security, as the target of hardware cryptography is to
improve security level of OpenSSH not provide "nice" feature to the
list.

[1]
http://www.opensc-project.org/opensc/browser/trunk/src/openssh/README
[2]
http://www.opensc-project.org/opensc/browser/trunk/src/openssh/ask-for-pin.diff

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list