PKCS#11 support for openssh

Alon Bar-Lev alon.barlev at
Wed Nov 16 08:36:18 EST 2005

Dan C wrote:
> Thanks for your quick reply.
> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote:
>>Dan C wrote:
>>>On Mon, Nov 14, 2005 at 09:54:46AM +0200, Alon Bar-Lev wrote:
>>>Unfortunately I'm unable to use the OpenSC PKCS#11 provider as desired
>>>with my card, as the manufacturer (Aladdin's eToken) does not use a
>>>compliant layout. They have however recently developed their own
>>>proprietary PKCS#11 module, so obviously I'm keen for OpenSSH PKCS#11
>>But I heard of success in using eToken with OpenSC and 
>>PKCS#11 provider...
>>Maybe you want to use the same content in Windows and 
>>Linux... Then I agree that it is not possible...
> Yeah, that's correct.
> Previously I've been using a seperate card initialized with OpenSC's
> pkcs15-init. But with Aladdin's upcoming PKCS#11 module, it would be
> nice to consolidate all of my key usage onto one card.
>>>I suspect that I'm not actually using your patch as intended though.
>>>Should I still be able to, as previously with OpenSC - generate a self
>>>signed certifcate with my existing RSA private key, import the pair to
>>>my card and then reference the private key to log into my legacy SSH
>>Well... You need the X.509 patch for your host... I think 
>>that smartcards should be used with X.509... I have a 
>>discussion regarding this issue with OpenSSH developers...
>>Roumen Petrov does not support self-signed certificate in 
>>his X.509 patch implementation... I've asked him to... He is 
>>thinking on it....
>>So if you can use a certificate which is not self-signed... 
>>It would be the best... Until things will clear up.
> Ah, I see - then I haven't been using it as intended. The existing
> OpenSC support allows you to reference a private RSA key and a public
> key in the form of a certificate generated against the private key (to
> humour the smartcard structure), in order to authenticate against
> standard SSH2 public-key hosts. No patching of remote hosts or amending
> authorized_keys files.
> I agree with your reasoning for x509 over raw RSA support. But I think a
> replacement of the existing OpenSC support would need to still handle
> raw RSA. It would be invaluable for people with existing SSH2 PKI
> environments.
> Regards,
> Dan


Attached is an update to the PKCS#11 patch. It can now be 
applied as standalone without X.509 patch, but is X.509 
patch aware.

A valid X.509 certificate must still exist on the token, but 
without X.509 support it is exported as regular RSA key.

There is a nice utility Timo Felbinger wrote 
( that extracts 
ssh public key from X.509 certificate.

If you like X.509 support apply the X.509 patch *AFTER* the 
PKCS#11 patch. There are minor rejects that can be easily 
corrected by:
$ autoreconf -i -v

The new patch also supports self-signed certificates. If it 
finds one it treats it as RSA key and not as X.509 RSA key, 
Roumen, I think this should be the default behavior of the 
X.509 patch.

Waiting to receive many more comments...

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list