[PATCH] Re: PKCS#11 support in OpenSSH 4.3p2

Alon Bar-Lev alon.barlev at gmail.com
Sun Sep 24 19:58:16 EST 2006

On Sunday 24 September 2006 04:09, Andrew Bartlett wrote:
> In a command-line environment, requiring the user to re-run ssh-add
> doesn't seem unreasonable.  But I'm not familiar with that code, so
> I'll happily agree that there may be a need for further discussion.

Let's say your smartcard uses also in order to open your office 
door... So you must take it whereever you go... Every time you come 
back, and insert your card, entering the PIN for the pam_pkcs11, you 
need to re-run ssh-add before you ssh?!?!?

And when smartcard session expires, run another ssh-add? Every hour or 

From a user point of view, the user should be prompted when he is runs 
ssh for (optionally) insert his card and (optionally) PIN, that's it.

Only once the user should load his identities into the ssh-agent.

> How does the existing smart-card code get around this?

It doesn't, once you added identity into the daemon, it stays there... 
Even if the card is removed and inserted... It also remembers the 

> I've not looked at that code yet, so I simply don't know.  I do
> understand that this is what the Red Hat built their smart card
> login solution on.  While I spend my day hacking Samba, I'm part of
> that group at RedHat.  I'm impressed with what they have achieved,
> and wanted to be able to make the case to the others in my group
> of: you make smartcard login simple, wouldn't it be great if it
> 'just worked' for moving off the box with SSH too?

1. pam_pkcs11 is not of RedHat, they just used it... As they can use 
more components that uses smartcards. I don't understand why you 
thing they achieved anything.
2. Standard smartcard for OpenSSH is also simple... Just use my 
patch... :)

> My naive assumption was that 'just works' smartcard logins would
> provide some information to the session (such as how to access the
> now unlocked smartcard), so that subsequent operations would not
> require a PIN.  That was the reason for my pam_pkcs11 reference.

Oh... This is something different!
The OpenSC project raised an option to write a generic smartcard 
But I think that it is wrong from security point of view. Since not 
all applications on your system may access your credentials.
There is nothing wrong in entering the PIN in several applications, 
this is how you approve the use of your private key.

Remember: Smartcards are used in order to enforce security, and not as 
a gadgets.

And because smartcards are locked after N retries, the PIN may be much 
simpler than a password.

> For GnuPG is that the p11scd?  I'm also very interested in trying
> to GPG sign mail with a PKCS#11 smartcard.

This is a work in progress.

You can try it out, and send feedback... I don't know if it work with 
GUI application, but gpgm works.

> > I've written the pkcs11-helper after I've found that there is no
> > valid PKCS#11 usage among open-source projects.
> That's why I was asking the 'system library' question.  It looked
> like shared code, so why is it pasted into each project?

I need to make it more generic first. After about 5 large projects 
will use the same code, I will consider doing that.

> Likewise in the code, it seems that there is already an established
> pattern of smartcard subsystems, why don't you use them?  (and
> extend the interface if required).

PKCS#11 is the subsystem we integrate into.

> Is it unsafe to call these functions from the signal handler? 
> Perhaps the next version of your patch needs to find a way
> (sometimes difficult in my experience of other apps) to return to
> that loop.

This is part of none- PKCS#11 improvements. When I will work on 
merging, I might do such modifications.

> I actually hoped it would make it easier, particularly for any
> potential merge.

We have long way to go... So I only patch release versions.

I am waiting for some kind of discussion with core OpenSSH developers. 
I will do anything required in order to see OpenSSH allows people to 
improve their security by using standard smartcards.

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list