openssh PKCS#11 support

Alon Bar-Lev alon.barlev at gmail.com
Sun Oct 23 08:37:58 EST 2005 

Hello All,

As I promised, I've completed and initial patch for openssh 
PKCS#11 support. The same framework is used also by openvpn. 
I want to help everyone who assisted during development.

This patch is based on the X.509 patch from 
http://roumenpetrov.info/openssh/ written by Rumen Petrov, 
supporting PKCS#11 without X.509 looks like a bad idea.

*So the first question is: What is the merge status of 
Ruman's patch?*

The PKCS#11 patch modify ssh-add and ssh-agent to support 
PKCS#11 private keys and certificates.

It allows using multiple PKCS#11 providers at the same time, 
selecting keys by id, label or certificate subject, handling 
card removal and card insert events, supports card insert to 
a different slot, handling session expiration.

One significant change is that the ssh-agent prompts for 
passwords now... So you need to configure it with a program 
that asks for PIN, a program such as x11-ssh-askpass. 
Current implementation (ssh-add asks for passwords) is not 
valid for dynamic smartcard environment.

*So the second question is whether this approach of handling 
passwords is valid for merge?*

Current implementation uses the askpin program also for 
promoting card insert... Don't be confused, it only expects 
ok or cancel. If we continue in merge I will also allow 
select a different program for card prompt.

A common scenario is the following:

$ ssh-agent xterm ->

  $ ssh-add --pkcs11-ask-pin `which x11-ssh-askpass`

  $ ssh-add --pkcs11-add-provider --pkcs11-provider 
/usr/lib/pkcs11/MyProvider.so

  $ ssh-add --pkcs11-add-id --pkcs11-slot-type label 
--pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id 
"/C=XX/CN=YY"

  $ ssh myhost

In order to see available object, you can use:

  $ ssh-add --pkcs11-show-slots --pkcs11-provider 
/usr/lib/pkcs11/MyProvider.so

Opensc users should add: --pkcs11-sign-mode sign

  $ ssh-add --pkcs11-show-objects --pkcs11-provider 
/usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0

Look at ssh-add for more options.

If this patch is finally accepted, I believe that all opensc 
code can be removed from all components of openssh, and 
simply use the opensc PKCS#11 provider.

Some general comments
1. I think that ssh-add should be cleaned up, and support 
arguments properly, the openbsd-compact does not getopt_long.

2, I think that it is best that ssh-agent have a 
configuration file, so that static configurations may be 
provided, also ssh-agent lacks logging in none debugging 
mode, this should also be corrected.

3. I don't support reader plug&play for now... Since PKCS#11 
does not support it. It can be supported on the price of 
invalidating all open sessions.

Looking forward to receive any comments,

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list