[PATCH] Re: PKCS#11 support in OpenSSH 4.3p2

Andrew Bartlett abartlet at samba.org
Sun Sep 24 11:09:53 EST 2006

On Sun, 2006-09-24 at 02:58 +0300, Alon Bar-Lev wrote:
> On Sunday 24 September 2006 02:41, Andrew Bartlett wrote:

> > I use ssh-agent without a gui all the time.  Why can't ssh-add
> > prompt for a pin just like it prompts for passphrases?
> Because the ssh-agent should challenge ssh back for passphrase when 
> card session expired, or card is removed/inserted.
> Current protocol does not support his.
> This is one issue to be discussed...

In a command-line environment, requiring the user to re-run ssh-add
doesn't seem unreasonable.  But I'm not familiar with that code, so I'll
happily agree that there may be a need for further discussion.

How does the existing smart-card code get around this?

> > But if (as on Fedora Core 6, and RHEL5 betas) pam_pkcs11 is
> > functional, can we make use of it?  They seem to have it down to
> > 'tick a box' for smartcard login...
> pam_pkcs11 a bad implementation, please stop refering to it, unless 
> you review its code, and find it acceptable.

I've not looked at that code yet, so I simply don't know.  I do
understand that this is what the Red Hat built their smart card login
solution on.  While I spend my day hacking Samba, I'm part of that group
at RedHat.  I'm impressed with what they have achieved, and wanted to be
able to make the case to the others in my group of: you make smartcard
login simple, wouldn't it be great if it 'just worked' for moving off
the box with SSH too?

(I'm sick of typing a password and then a long pass-phrase twice each
time I log into the laptop).

My naive assumption was that 'just works' smartcard logins would provide
some information to the session (such as how to access the now unlocked
smartcard), so that subsequent operations would not require a PIN.  That
was the reason for my pam_pkcs11 reference.

Perhaps I need to spend more time with some of developers here to
understand the pieces better.

> The pkcs11-helper library is used in OpenVPN (merged), OpenSSH 
> (patch), QCA (merged), GnuPG (external daemon), I also have 
> xsupplicant and some more.

For GnuPG is that the p11scd?  I'm also very interested in trying to GPG
sign mail with a PKCS#11 smartcard.

> I've written the pkcs11-helper after I've found that there is no valid 
> PKCS#11 usage among open-source projects.

That's why I was asking the 'system library' question.  It looked like
shared code, so why is it pasted into each project? 

> pkcs11-helper works with many cards, includeing OpenSC, Aladdin, 
> Athena, Siemens, openCryptoki, Rainbow, ARX, Datakey.
> If you wish, pam_pkcs11 can use pkcs11-helper in order to provide a 
> better service.

I'm sure that would be very interesting.  As I said, I've not looked at
that code yet.

> > Looking at the ssh-agent code, your pkcs_11 mode shares no options
> > in common with the other smartcard code.  If that code is to be
> > replaced with yours, then users with scripts etc will break.  If
> > the smartcard code is not replaced, manpages get bigger to list
> > both, and users become confused 'which smartcard do I have?'.
> Current smartcard support is invalid, because of this I written this 
> new one.
> It adds all certificates into the agent, it does not support removal 
> and insert of cards, it does not support session timeout, multi 
> providers and more.

These sounds like great new features!  When users/deployments become
comfortable with your new, better code, then I'm sure they will want to
be able to migrate to it.  

I'm suggesting that you should make that migration as painless as
possible, by reusing options.  

Likewise in the code, it seems that there is already an established
pattern of smartcard subsystems, why don't you use them?  (and extend
the interface if required).

> > > True...
> > > Well... I kind of hope that a cleaner exit will be applied in the
> > > future into ssh-agent.
> >
> > Why?  ssh-agent, like many other programs, needs to deal gracefully
> > with abnormal termination.  What happens if that _terminate isn't
> > called? (Because the process was killed in a nasty way?).
> Nothing happens.

If nothing happens, then why ever call _terminate()?  Well-written code
should cope with an abnormal exit, and not have any unclean shared
state, but I presume this function exists for a reason.

> But I like the signal code informs the main to perform a clean exit, 
> and not exit from the signal handler.

Is it unsafe to call these functions from the signal handler?  Perhaps
the next version of your patch needs to find a way (sometimes difficult
in my experience of other apps) to return to that loop.

> > I'm saying that pkcs11_helper.c and basicly everything outside
> > pkinit.c feel like they belong elsewhere.  It is just a gut feeling
> > that 'surely the system should provide this'.
> system? which system?
> I can make the pkcs11-helper a standalone library... But I find it 
> much easier to merge without external dependencies.

It certainly is easier once.  But in the Samba project we are currently
running around trying to rationalise code like this, because we got
bitten.  Lots of small, different fixes and different bugs in the
different versions.

> > Current Portable CVS.
> Well...
> You make it difficult for me to review this patch...
> But I got the mainline comment.

I actually hoped it would make it easier, particularly for any potential

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20060923/fbf95710/attachment.bin 

More information about the openssh-unix-dev mailing list