OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at
Sun Dec 30 18:24:11 EST 2007

On 12/30/07, David Smith <david.daniel.smith at> wrote:
> > However, can someone give a run down as to why the current smartcard
> > implement fails, why it cannot be fixed and thus must be replaced?
> > It bothers me when people's solution is to throw out code because it
> > doesn't do what they want without giving a solid reason why a new
> > infrastructure is needed, or how this new setup will completely replace
> > the existing setup.
> Sure. To sum it up, currently OpenSSH uses OpenSC, which only provides support
> for a limited number of smartcards. OpenSC is meant to be just another
> PKCS#11 API implementation and if OpenSSH where to use PKCS#11 API instead of
> OpenSC's specific API, it would be available to the wider world of
> smartcards. Personally, I want to use it with opencryptoki, another free
> PKCS#11 implementation, that supports the TPM chip in many workstations and
> laptops.

I will try to rephrase this...

PKCS#11 is a standard specification, most hardware cryptography
support this standard in order to enable hardware and platform
independent applications to use the hardware.

OpenSC interface is a proprietary specification.

In order to support hardware cryptography, you have some options:
1. Support PKCS#11, thus supporting any device that comes with this
interface (most).
2. Support a specific implementation, just like OpenSSH does.
3. Reimplement from scratch, gnupg is an example for that.

Any option other than (1) implies supporting a minimum set of hardware
devices, making a large group of users unhappy (unable to use secured

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list