Smartcards & SSH

[Damien Miller]

On Tue, 17 Oct 2000, Tommaso Cucinotta wrote:

> Hi all,
> 
> I'm new to this mailing list, so I apologize if my question
> is "obsolete" for you.
> 
> I'd like to know if anybody has a clear idea about
> how to connect smartcards to the SSH framework.
> 
> I yet got a modified ssh-agent (by Stephen Pellicer)
> that uses SSP-Lite (CyberflexAccess driver by me)
> in order to use the smartcard instead of the HD files.
> 
> Instead, I'd like to INTEGRATE that with the
> original, file-based, ssh environment.

What do you mean by this? Surely you would prefer to keep the keys
(and preferably the action of signing) on the cards themselves?

> I'd like to know what do you think about this, and
> HOW the work should be accomplished, to maintain
> your kind of architecture (ssh-agent, ssh-add, ...).

Smartcard integration would best be done at the ssh-agent level.
Since it already does the signing of challenges internally, is 
wouldn't be too much effort to hand this over to the card via 
pkcs#11 or whatever. You might need a ssh-keygen-smartcard, which 
would probably also pass the operations off to the card.

If the cards that you are using don't do crypto, then you would
probably best modify ssh-add to read the keys and hand them to
ssh-agent. ssh-keygen would need to be modified to store its keys 
in the cards (or you could use a transfer utility).

> I'd like to know what PAM is used for, in the ssh
> framework, too (sorry if I missed some/many docs
> from your site).

PAM support is used for password authentication and enforcing account
restrictions. Some work in underway for more complete PAM support using
SSH2's kbd-interactive authentication mode.

-d 

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org