PKCS#11 support for openssh

Roumen Petrov openssh at roumenpetrov.info
Thu Nov 17 09:40:48 EST 2005 

Alon,

you should improve security of code. I already sent some notes offlist.


Alon Bar-Lev wrote:
> Dan C wrote:
> 
>> Thanks for your quick reply.
>>
>> On Mon, Nov 14, 2005 at 10:11:06PM +0200, Alon Bar-Lev wrote:
>>
>>> Dan C wrote:
>>>
>>>> On Mon, Nov 14, 2005 at 09:54:46AM +0200, Alon Bar-Lev wrote:
>>>> Unfortunately I'm unable to use the OpenSC PKCS#11 provider as desired
>>>> with my card, as the manufacturer (Aladdin's eToken) does not use a
>>>> compliant layout. They have however recently developed their own
>>>> proprietary PKCS#11 module, so obviously I'm keen for OpenSSH PKCS#11
>>>> support.
>>>
>>>
>>> But I heard of success in using eToken with OpenSC and PKCS#11 
>>> provider...
>>> Maybe you want to use the same content in Windows and Linux... Then I 
>>> agree that it is not possible...
>>
>>
>>
>> Yeah, that's correct.
>>
>> Previously I've been using a seperate card initialized with OpenSC's
>> pkcs15-init. But with Aladdin's upcoming PKCS#11 module, it would be
>> nice to consolidate all of my key usage onto one card.
>>
>>
>>>> I suspect that I'm not actually using your patch as intended though.
>>>> Should I still be able to, as previously with OpenSC - generate a self
>>>> signed certifcate with my existing RSA private key, import the pair to
>>>> my card and then reference the private key to log into my legacy SSH
>>>> hosts?
>>>
>>>
>>> Well... You need the X.509 patch for your host... I think that 
>>> smartcards should be used with X.509... I have a discussion regarding 
>>> this issue with OpenSSH developers...
>>>
>>> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113096115818802&w=2
>>>
>>> Roumen Petrov does not support self-signed certificate in his X.509 
>>> patch implementation... I've asked him to... He is thinking on it....
>>>
>>> So if you can use a certificate which is not self-signed... It would 
>>> be the best... Until things will clear up.
>>
>>
>>
>> Ah, I see - then I haven't been using it as intended. The existing
>> OpenSC support allows you to reference a private RSA key and a public
>> key in the form of a certificate generated against the private key (to
>> humour the smartcard structure), in order to authenticate against
>> standard SSH2 public-key hosts. No patching of remote hosts or amending
>> authorized_keys files.
>>
>> I agree with your reasoning for x509 over raw RSA support. But I think a
>> replacement of the existing OpenSC support would need to still handle
>> raw RSA. It would be invaluable for people with existing SSH2 PKI
>> environments.
>>
>> Regards,
>> Dan
>>
> 
> Hello,
> 
> Attached is an update to the PKCS#11 patch. It can now be applied as 
> standalone without X.509 patch, but is X.509 patch aware.
> 
> A valid X.509 certificate must still exist on the token, but without 
> X.509 support it is exported as regular RSA key.
> 
> There is a nice utility Timo Felbinger wrote 
> (http://www.timof.qipc.org/x509toOpenSSH.c) that extracts ssh public key 
> from X.509 certificate.
> 
> If you like X.509 support apply the X.509 patch *AFTER* the PKCS#11 
> patch. There are minor rejects that can be easily corrected by:
> $ autoreconf -i -v
> 
> The new patch also supports self-signed certificates. If it finds one it 
> treats it as RSA key and not as X.509 RSA key, Roumen, I think this 
> should be the default behavior of the X.509 patch.
> 
> Waiting to receive many more comments...
> 
> Best Regards,
> Alon Bar-Lev.

More information about the openssh-unix-dev mailing list