Smartcards & SSH

Thu Oct 19 04:35:14 EST 2000

Markus Friedl wrote:
> 
> 
> this is what i'm going to do and i think this is the
> best way to integrate smartcard support. do you have
> pointers to these modifciations or any other info?

How are you going to achieve such integration, i.e.
what kind of smartcard-related software are you going
to use ?

I have those ssh-agent modified files, and I'm going
to review them, then post on the smartsign website:

	http://smartsign.sourceforge.net

> > Instead, I'd like to INTEGRATE that with the
> > original, file-based, ssh environment.
> 
> how?
> 
> > I'd like to know what do you think about this, and
> > HOW the work should be accomplished, to maintain
> > your kind of architecture (ssh-agent, ssh-add, ...).
> 
> i don't understand what you exactly want...

What I was meaning is that I'd like not to have separate
applications to start for smartcard-aware SSH and "normal"
file-based SSH.

I would prefer a solution that allows a user to launch
his ssh-agent, then ssh-add a smartcard's key (just tell
the agent HOW to use the key with the SC, not giving
the key to the agent itself), and use ssh in the usual
way, except that I should enter smartcard's PIN instead
of the private key's passphrase.

So the problem is: is out there anybody who can give me
hints/suggestions about

1. how to incorporate a sort of "modularity" in SSH Agent, in
   such a way that it uses "cryptographic modules" to make
   authentication, indipendently of the way such modules
   operate (it seems that the separation between ssh and
   ssh-agent wants to achieve just this, but know I have
   this problem of the "agent modularity"). Maybe that
   PKCS#11 is a (Netscape-like) reasonable solution ?
2. how could PAM be used to achieve the task. Does ssh-agent,
   by now, use PAM at all ? Is there a way to use PAM to
   achieve the agent's modularity ?
3. What is a PAM radius agent and a SecurID token (I refer
   to "carl at bl.echidna.id.au"'s message) ?
4. What documents could I read about these issues ?
5. I developed an (OpenSource) smartcard-aware PAM module
   for LOCAL authentications on a PC (i.e. at the login,
   for example). Could I integrate such a tool into the
   ssh-agent ??

I apologize if I missed some evident documents which I could
easily get from OpenSSH's site or the Internet, and pray
anyone to email me URLs to such docs, if any.

Many thanks in advance, bye,

	Tommaso Cucinotta.

-- 
/------------------------------------------------\
|  Dr. Tommaso Cucinotta <t.cucinotta at sssup.it>  |
+------------------------------------------------+
|     Scuola Superiore di Studi Universitari     |
|            e Perfezionamento S.Anna            |
|  Pisa                                   Italy  |
\------------------------------------------------/