[ANNOUNCE] PKCS#11 support in OpenSSH 4.3p2 (version 0.11)

Alon Bar-Lev alon.barlev at gmail.com
Sun May 28 00:26:43 EST 2006


The version 0.11 of "PKCS#11 support in OpenSSH" is published.

1. Updated against OpenSSH 4.3p2.
2. Modified against Roumen Petrov's X.509 patch (version
5.4), so self-signed certificates are treated by the X.509
patch now.
3. Added --pkcs11-x509-force-ssh if X.509 patch applied,
until some issues with the X.509 patch are resolved.
4. Fixed issues with gcc-2.

You can grab the new version from

I will be glad to receive any feedback regarding this patch,
so I will be able to adjust it closer to requirements, and
extend the support for none-agent usage.

The PKCS#11 support is provided by a pkcs11-helper
implementation which is common for OpenVPN, QCA (Qt
Cryptographic Architecture for KDE 4.0) and may be used by
many other projects, one example is this patch for OpenSSH,
there is also an initial support for xsupplicant and

Best Regards,
Alon Bar-Lev.



The PKCS#11 patch modify ssh-add and ssh-agent to support
PKCS#11 private keys and certificates.

It allows using multiple PKCS#11 providers at the same time,
selecting keys by id, label or certificate subject, handling
card removal and card insert events, handling card re-insert
to a different slot, supporting session expiration.

A valid X.509 certificate should exist on the token, without
X.509 support it is exported as regular RSA key. There is a
simple utility Timo Felbinger wrote
(http://www.timof.qipc.org/x509toOpenSSH.c) that extracts
ssh public key from X.509 certificate.

If you like X.509 support apply the X.509 (>=5.4) patch
*AFTER* the PKCS#11 patch.

One significant change is that the ssh-agent prompts for
passwords now... So you need to configure it with a program
that asks for card insert or PIN, a program such as
x11-ssh-askpass. Current implementation (ssh-add asks for
passwords) is not valid for dynamic smartcard environment.

Current implementation uses the askpin program also for
prompting card insert... Don't be confused, it only expects
ok or cancel, attached is a simple scripts that uses KDE and
.NET in order to display these dialogs.

You can view full usage by:
$ ssh-agent /bin/sh
$ ssh-add -h

A common scenario is the following:

$ ssh-agent /bin/sh
$ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh`
$ ssh-add --pkcs11-add-provider --pkcs11-provider
$ ssh-add --pkcs11-add-id --pkcs11-slot-type label
--pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id
$ ssh myhost

In order to see available objects, you can use:

$ ssh-add --pkcs11-show-slots --pkcs11-provider
$ ssh-add --pkcs11-show-objects --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0

More information about the openssh-unix-dev mailing list