[Bug 2430] ssh-keygen should allow to login before reading public key from smart card

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jul 20 20:59:49 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2430

--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
These cards exists for example as National IDs (example Belgium from
colleague's experience [1]). Unfortunately, wiki does not explicitly
mention mechanism of handling public key. But it can be found for
example in this article [2].

It is often enforced as a policy by generator/distributor of the cards
rather then by user, in nation-wide or corporate scenarios.

Solution with switch would be probably more familiar, but it would be
great to have one switch, unlike it differs with switches shared pkcs11
library:
ssh -I *.so
ssh-keygen -D *.so
ssh-add -s *.so

I can think of -U as "Unlock", which is unused on all three of them.
Handling this inside ssh tools would reqeuire some design decisions how
to make it clear, secure and transparent even for readers keypads.

[1] https://en.wikipedia.org/wiki/Electronic_identity_card#Belgium
[2] http://wiki.yobi.be/wiki/Belgian_eID#pkcs11-tool

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list