Muscle Card Edge with OpenSSH

Tommaso Cucinotta kefren at tin.it
Sun Nov 18 05:27:00 EST 2001


Hi all,

a modified version of the OpenSSH client programs
has been released on the Smart Sign Web Site

	http://smartsign.sourceforge.net

that uses Muscle Card Edge technology. It directly
generates an OpenSSH private key on to a JavaCard
2.1.1 compliant smart card (using CardEdge key generation
facility) and uses it from the card itself.

Private key can never get compromised after generation !

The code has been integrated into OpenSSH sources so
to allow normal OpenSSH behaviour. Smartcards are used
only if required by the user using special command line
options.

This package has been compiled and tested on Win2K platform,
too (using CygWin).

Feedback is welcome !

Details follow. Bye,
	
	Tommaso.


----------
SUMMARY OF CHANGES:
 
- Requires PCSC-Lite, a PCSC reader driver and
  MuscleCard API Toolkit (it also requires a smart
  card reader and its driver for PCSC-Lite and
  a JavaCard-2.1.1 compliant smart card with
  the Card Edge Applet already pre-loaded).
 
- Enabling Card Edge module during configuration
 
  ./configure --with-musclecard=path (defaults to /usr/local)
 
- Building modified programs
 
  . make ssh-agent
  . make ssh-add
  . make ssh-keygen
  (you can also try a single make)
  ** DO NOT TRY TO BUILD OTHER OPEN-SSH PROGRAMS, PLEASE **
  ** On Windows, type make ssh-agent.exe, ...
 
- ssh-agent
 
  . Launch as usual, here you don't need anything special
 
- ssh-add
 
  . Launch with the '-sc' option to add the smartcard
    identity: you will be prompted with smartcard PIN
  . Launch as usual to add other (file) identities
  . Use 'ssh-add -L' to view all the loaded identities
    (also the SC)
  . After adding the identity, use the NORMAL ssh client
    to connect to a remote server using the
smartcard                           

- ssh-keygen
 
  . Launch with the '-t rsa-sc' option to generate a
    keypair and store it on the smartcard. Please, note
    that after key generation the program will fail,
    but key generation/storing process would be fine.
    Try a 'eval `./ssh-agent`; ssh-add -L' to view
    new identity public information
  . Launch as usual to generate file-based key pairs.
  . Sorry, this is really unfinished, yet. I couldn't
    figure out how to embed the key generation process
    in the OpenSSH framework...
 
- Customizing behaviour
 
  This module uses card PIN and public and private key
  numbers as specified in the file rsa_sc.c, under the
  "Customization options" section. You can change their
  values if you need it.
 
- Note
 
  This module does not use any certificates for key
  management.
 
- For further information, please, refer to the SmartSign
  mailing list:
 
   
smartsign-users at lists.sourceforge.net                                       

-- 
/------------------------------------------------\
|  Dr. Tommaso Cucinotta <t.cucinotta at sssup.it>  |
+------------------------------------------------+
|     Scuola Superiore di Studi Universitari     |
|            e Perfezionamento S.Anna            |
|  Pisa                                   Italy  |
\------------------------------------------------/



More information about the openssh-unix-dev mailing list