PKCS#11 support for openssh

Alon Bar-Lev alon.barlev at
Wed Nov 16 19:07:20 EST 2005

Dan C wrote:
> Alon, that's great - thank you for the update. It works perfectly in
> keeping with the old OpenSC support, but with the added flexibility of
> being able to use _any_ available PKCS#11 provider. A good improvement I
> feel.
> My only remaining thoughts echo that of Andreas's, in that it would be
> useful to have "direct" ssh(1) support. For both the ease of being able
> to choose ie. "ssh -I0 <host>" when you wish, as well as being able to
> hardset options to use card auth for specified hosts in ssh_config(5).
> Please feel free to pass my comments on to the list/Roumen/Andreas and
> by all means throw any further testing my way.
> Regards,
> Dan

Hello Dan,

I am glad that all works!

I agree that there should be a simple way to use ssh with 
smartcard support... But I don't like current implementation 
in which the code is written twice, once for the agent and 
second for the ssh.

I think that ssh should always use the agent, and if not 
available execute it (Or convert the agent to a library). 
Then ssh can read the config file and add identities as if 
the agent is external. This way the private key handling 
will be implemented in one place....

When I get some kind of positive response from the openssh 
developers, I will discuses what the user interface of the 
PKCS#11 support should be and implement a more friendly 

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list