OpenSSH and Smartcard

Boris von Alten Blaskowitz borisvab at gmx.de
Sun Apr 3 01:08:35 EST 2005 

Hi Nils,

I know it comes from opensc. But as far as I know opensc is not 
responssible. Because openssh should ask the user for the pin and set 
the smartcard in the right condition. Is this correct?

I have I bad feeling with the ssh-agent. For example:
A intruder can send every kind of data(email text) during a user session 
to the ssh-agent and this will be signed . If the user set not time 
limit. (I am not validate this topic yet. So it is just an idea ...)
Another is,  that root kan switch to my account and has also access to 
my ssh-keys on the smartcard.

I would prefer, not to use the ssh-agent. SSH or OpenSC, depending who 
is responssible, should ask me directly for the PIN for every new 
connection. I already made a hack and it works fine.  But I am not sure 
about sideeffects. So what do you think??

Boris

Nils Larsch wrote:
> Boris von Alten Blaskowitz wrote:
> 
>> Hi,
>>
>> I am not sure if this the right place for the question. Sorry if not ...
> 
> 
> as the error comes from opensc the opensc mailing list might have
> been more appropriate
> 
>>
>> My System:
>> SuSE 9.2
>> OpenSSH 3.9p1
>>
>> I have trouble to use a Smartcard with openssh. If i try to connect 
>> directly to the Smartcard, it fails:
>>
>> ssh -I 0:45 localhost
>>
>> card-etoken.c:175:etoken_check_sw: required access right not granted 
>> card-etoken.c:631:do_compute_signature: returning with: Security 
>> status not satisfied card-etoken.c:175:etoken_check_sw: required 
>> access right not granted card-etoken.c:631:do_compute_signature: 
>> returning with: Security status not satisfied 
>> card-etoken.c:175:etoken_check_sw: required access right not granted 
>> card-etoken.c:631:do_compute_signature: returning with: Security 
>> status not satisfied sec.c:53:sc_compute_signature: returning with: 
>> Security status not satisfied 
>> pkcs15-sec.c:285:sc_pkcs15_compute_signature: sc_compute_signature() 
>> failed: Security status not satisfied sc_pkcs15_compute_signature() 
>> failed: Security status not satisfied ssh_rsa_sign: RSA_sign failed: 
>> error:00000000:lib(0):func(0):reason(0)
>>
>> This is happen because openssh never prompt for the pin.
>>
>> If I use the openssh-agent and ssh-add everything works well.
>> ssh-add -s 0
>> ssh localhost
>>
>> :) --> Have a lot of fun
>>
>>
>> The question now:
>> Does Smartcards only work, if I use the ssh-agent or should the "ssh 
>> -I 0:45 localhost" command also work????
> 
> 
> with the current design the use of the agent is strongly recommended
> 
> Nils
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
>

More information about the openssh-unix-dev mailing list