OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at
Sat Dec 29 05:50:42 EST 2007


On 12/28/07, David Smith <david.daniel.smith at> wrote:
> ping.

I also considered to ping... :)
Thanks for the reminder.

> is supported by an alternative pkcs#11 library, opencryptoki, and thus is
> unusable from applications that use opensc directly, because it's not a
> pkcs#15 card.

Also the patch introduces dynamic support for cryptographic hardware,
handling session timeouts, token removal etc..

> Alon's patch already functions parallel to the opensc support and RedHat is
> bundling it (or a similar patch, I'm not sure of the details). I would like
> this supported included mainline with all appropriate speed and importance.

Redhat developed nss based patch for OpenSSH, nss is much more
complicated and does not support all PKCS#11 tokens. The pkcs11-helper
based patch is much lighter and more compatible. Anyway, redhat will
face the same issues with OpenSSH regarding the dynamic hardware

If OpenSSH developers prefers to use Redhat's nss patch and this is
the way people be able to use more secured environment, it is fine.

I believe that my work is lighter and provide better service to users.

The main issue I am waiting for Peter to response is why he thinks
that the ssh-agent protocol should not be changed to support dynamic
environment. This is the main issue left, all the other are minor.
Currently, I execute a user prompt program directly from the agent,
while the other components of OpenSSH execute this from the main
executable. But I need a way to signal the caller that I need some
more information from the user.

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list