OpenSSH PKCS#11merge

Ben Lindstrom mouring at
Sun Dec 30 12:02:35 EST 2007

I'm sorry if this has been discussed in other places.  Looking back at 
this thread I don't see any real discussion of it here.

However, can someone give a run down as to why the current smartcard 
implement fails, why it cannot be fixed and thus must be replaced? 
It bothers me when people's solution is to throw out code because it 
doesn't do what they want without giving a solid reason why a new 
infrastructure is needed, or how this new setup will completely replace 
the existing setup.

Just as bad is having two implementations living side-by-side and by the 
looks of the patch can both be compiled in.  Does having both enabled 
have any ill effects?  Should they both be allowed to be compiled in?

As for X.509.. If one has followed this list for any period in time they 
will have seen the concerns about OpenSSL's X.509 parser complexity and 
the issues it has caused them in the past.  That is part of the reason why 
djm@ and the other have no intention.

I remember discussions about writing a simplified X.509 parser that only 
looking at fields that OpenSSH cared about, but I've been away for over 
two years so I suspect that was abandoned. =)

- Ben

On Fri, 28 Dec 2007, Alon Bar-Lev wrote:

> Hello,
> On 12/28/07, David Smith <david.daniel.smith at> wrote:
>> ping.
> I also considered to ping... :)
> Thanks for the reminder.
>> is supported by an alternative pkcs#11 library, opencryptoki, and thus is
>> unusable from applications that use opensc directly, because it's not a
>> pkcs#15 card.
> Also the patch introduces dynamic support for cryptographic hardware,
> handling session timeouts, token removal etc..
>> Alon's patch already functions parallel to the opensc support and RedHat is
>> bundling it (or a similar patch, I'm not sure of the details). I would like
>> this supported included mainline with all appropriate speed and importance.
> Redhat developed nss based patch for OpenSSH, nss is much more
> complicated and does not support all PKCS#11 tokens. The pkcs11-helper
> based patch is much lighter and more compatible. Anyway, redhat will
> face the same issues with OpenSSH regarding the dynamic hardware
> usage.
> If OpenSSH developers prefers to use Redhat's nss patch and this is
> the way people be able to use more secured environment, it is fine.
> I believe that my work is lighter and provide better service to users.
> The main issue I am waiting for Peter to response is why he thinks
> that the ssh-agent protocol should not be changed to support dynamic
> environment. This is the main issue left, all the other are minor.
> Currently, I execute a user prompt program directly from the agent,
> while the other components of OpenSSH execute this from the main
> executable. But I need a way to signal the caller that I need some
> more information from the user.
> Best Regards,
> Alon Bar-Lev.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list