[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 30 07:46:32 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1371
--- Comment #52 from Damien Miller <djm at mindrot.org> 2008-06-30 07:46:28 ---
(In reply to comment #51)
> > Better IMO to cache the pin in the agent at the time the key is added -
> > this is what the existing smartcard support does. Caching the pin in
> > the agent is no additional security risk - if the agent host were
> > compromised then an attacker could just as easily steal the pin when it
> > was used.
>
> Wrong.
> Caching smartcard PIN is none standard, unexpected and unsecure. It is
> part of the problem in current implementation. People implement
> external patches to fix this behavior [1], [2].
Can you offer a rationale for why this is insecure? I think I have
given a good argument for why caching the pin gives no additional
security risk, while passing it though does.
> Smartcard usage best practice forces re-authentication after smartcard
> is powered off (removed and inserted), or when smartcard session
> duration expires.
What defines a "smartcard session"?
As for poweroff/removal, the cleanest way to deal with these is simply
to invalidate all keys that were hosted on the card and force the user
to re-add them.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list