OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at gmail.com
Sat Dec 29 05:50:42 EST 2007


Hello,

On 12/28/07, David Smith <david.daniel.smith at gmail.com> wrote:
> ping.

I also considered to ping... :)
Thanks for the reminder.

> is supported by an alternative pkcs#11 library, opencryptoki, and thus is
> unusable from applications that use opensc directly, because it's not a
> pkcs#15 card.

Also the patch introduces dynamic support for cryptographic hardware,
handling session timeouts, token removal etc..

> Alon's patch already functions parallel to the opensc support and RedHat is
> bundling it (or a similar patch, I'm not sure of the details). I would like
> this supported included mainline with all appropriate speed and importance.

Redhat developed nss based patch for OpenSSH, nss is much more
complicated and does not support all PKCS#11 tokens. The pkcs11-helper
based patch is much lighter and more compatible. Anyway, redhat will
face the same issues with OpenSSH regarding the dynamic hardware
usage.

If OpenSSH developers prefers to use Redhat's nss patch and this is
the way people be able to use more secured environment, it is fine.

I believe that my work is lighter and provide better service to users.

The main issue I am waiting for Peter to response is why he thinks
that the ssh-agent protocol should not be changed to support dynamic
environment. This is the main issue left, all the other are minor.
Currently, I execute a user prompt program directly from the agent,
while the other components of OpenSSH execute this from the main
executable. But I need a way to signal the caller that I need some
more information from the user.

Best Regards,
Alon Bar-Lev.


More information about the openssh-unix-dev mailing list