Dynamic smartcard support?
Damien Miller
djm at mindrot.org
Sat Apr 9 11:34:17 EST 2005
Darren J Moffat wrote:
> OpenSSL provides a nice abstraction layer for this in its dso
> module. OpenSSH could use that OpenSSL interface for doing dynamic
> loading.
No, we really don't want to do dynamic loading in OpenSSH.
Even with abstration layers it still adds complexity and is can be quite
fragile with regards to lazy binding and privsep chroot. Some
platforms[1] even have problems in ld.so with OpenSSH doing chroot.
(Yes, I know that PAM is already doing dynamic loading implicitly, but
since a platform's PAM implementation is usually maintained by the
platform vendor, it usually doesn't bite us too badly)
I'd prefer to to see a protocol interface to the smartcard routines.
E.g. over a local socket, or by pipe+fork+exec. One of the OpenBSD
developers was going to work on this, but went off and started hacking
isakmpd instead. So, volunteers welcome :)
-d
[1] https://bugzilla.redhat.com/beta/show_bug.cgi?id=144303
More information about the openssh-unix-dev
mailing list