PKCS#11 support for openssh
Alon Bar-Lev
alon.barlev at gmail.com
Wed Nov 16 19:07:20 EST 2005
Dan C wrote:
> Alon, that's great - thank you for the update. It works perfectly in
> keeping with the old OpenSC support, but with the added flexibility of
> being able to use _any_ available PKCS#11 provider. A good improvement I
> feel.
>
> My only remaining thoughts echo that of Andreas's, in that it would be
> useful to have "direct" ssh(1) support. For both the ease of being able
> to choose ie. "ssh -I0 <host>" when you wish, as well as being able to
> hardset options to use card auth for specified hosts in ssh_config(5).
>
> Please feel free to pass my comments on to the list/Roumen/Andreas and
> by all means throw any further testing my way.
>
> Regards,
> Dan
Hello Dan,
I am glad that all works!
I agree that there should be a simple way to use ssh with
smartcard support... But I don't like current implementation
in which the code is written twice, once for the agent and
second for the ssh.
I think that ssh should always use the agent, and if not
available execute it (Or convert the agent to a library).
Then ssh can read the config file and add identities as if
the agent is external. This way the private key handling
will be implemented in one place....
When I get some kind of positive response from the openssh
developers, I will discuses what the user interface of the
PKCS#11 support should be and implement a more friendly
interface.
Best Regards,
Alon Bar-Lev.
More information about the openssh-unix-dev
mailing list