Example SmartCard enabled OpenSSH agent.

Tommaso Cucinotta cucinotta at sssup.it
Thu Aug 23 13:56:32 EST 2001 

Hi all,

as an example of SSP-Lite middleware, I modified the
OpenSSH-2.9p2 sources to support Smart Cards.

The new module is just an experiment. It uses an
OpenSSL's new RSA method I built to communicate
with the smartcard through the SSP/PCSC stack
when normal OpenSSL RSA operations are invoked
by OpenSSH.

I couldn't embed the module as I wanted into the OpenSSH
sources because of the lack of generality of the "key.h"
interface. I have some ideas to change that.

If anybody is interested in using/testing/developing,
please write to the smartsign mailing list.

A quick overview of the module follows.

Thank you for your attention.

	Best regards,

		Tommaso Cucinotta.

************************************************************                    
This is a modified version of the OpenSSL 2.9p2 source tree,
containing an experimental, pre-pre-alpha, smartcard module
for use with SSP-Lite from the SmartSign project
(http://smartsign.sourceforge.net)
 
Summary of changes:
 
- Requires PCSC-Lite, a PCSC reader driver,
  SSP-Lite and a SSP-Lite card driver (actually
  only Schlumberger Cyberflex Access 16K supported)
 
- Enabling SSP-Lite module during configuration
 
  ./configure --with-ssplite
 
- Building modified programs
 
  . make ssh-agent
  . make ssh-add
  . make ssh-keygen
  ** DO NOT TRY TO BUILD OTHER OPEN-SSH STUFF, PLEASE **

- ssh-agent
 
  . Launch as usual, here you don't need anything special
 
- ssh-add
 
  . Launch with the '-sc' option to add the smartcard
    identity: you will be prompted with smartcard PIN
  . Launch as usual to add other (file) identities
  . Use 'ssh-add -L' to view the actual smartcard
    identity
  . After adding the identity, use the NORMAL ssh client
    to connect to a remote server using the smartcard
 
- ssh-keygen
 
  . Launch with the '-t rsa-sc' option to generate a
    keypair and store it on the smartcard. Please, note
    that after key generation the program will fail,
    but key generation/storing process would be fine.
    Try a 'eval `./ssh-agent`; ssh-add -L' to view
    new identity public information

  . Launch as usual to generate file-based key pairs.
  . Sorry, this is really unfinished, yet. I couldn't
    figure out how to embed the key generation process
    in the OpenSSH framework...
 
- For further information, please, refer to the SmartSign
  mailing list:
 
    smartsign-users at lists.sourceforge.net

************************************************************


-- 
/------------------------------------------------\
|  Dr. Tommaso Cucinotta <t.cucinotta at sssup.it>  |
+------------------------------------------------+
|     Scuola Superiore di Studi Universitari     |
|            e Perfezionamento S.Anna            |
|  Pisa                                   Italy  |
\------------------------------------------------/

More information about the openssh-unix-dev mailing list