Smartcards & SSH

Damien Miller djm at mindrot.org
Thu Oct 19 10:09:58 EST 2000 

On Wed, 18 Oct 2000, Tommaso Cucinotta wrote:

> > i don't understand what you exactly want...
> 
> What I was meaning is that I'd like not to have separate
> applications to start for smartcard-aware SSH and "normal"
> file-based SSH.
> 
> I would prefer a solution that allows a user to launch
> his ssh-agent, then ssh-add a smartcard's key (just tell
> the agent HOW to use the key with the SC, not giving
> the key to the agent itself), and use ssh in the usual
> way, except that I should enter smartcard's PIN instead
> of the private key's passphrase.
> 
> So the problem is: is out there anybody who can give me
> hints/suggestions about
> 
> 1. how to incorporate a sort of "modularity" in SSH Agent, in
>    such a way that it uses "cryptographic modules" to make
>    authentication, indipendently of the way such modules
>    operate (it seems that the separation between ssh and
>    ssh-agent wants to achieve just this, but know I have
>    this problem of the "agent modularity"). Maybe that
>    PKCS#11 is a (Netscape-like) reasonable solution ?

PKCS11 is how you would talk to the smartcards, you also need
to modify ssh-agent so it knows which keys are in memory and 
which keys can be accessed through pkcs11.

Do you want to use the card as a keystore, or do you want
to sign challenges on the card?

> 2. how could PAM be used to achieve the task. Does ssh-agent,
>    by now, use PAM at all ? Is there a way to use PAM to
>    achieve the agent's modularity ?

No - PAM deals with system authentication and knows nothing about
crypto keys. There has been talk of a PAM module that does RSA
authentication, but I haven't seen it yet.

> 3. What is a PAM radius agent and a SecurID token (I refer
>    to "carl at bl.echidna.id.au"'s message) ?

SecurID is a token based one-time-password system. The PAM radius
module is used to talk to the proprietary SecurID server.

BTW where can I find this PAM radius module? The docs on the one I
have say that it only does RADIUS accounting.

-d

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org

More information about the openssh-unix-dev mailing list