Announce: PKCS#11 support version 0.18 in OpenSSH 4.5p1

Alon Bar-Lev alon.barlev at gmail.com
Sat Jan 6 03:21:58 EST 2007 

Hi All,

The version of "PKCS#11 support in OpenSSH" is ready for download.
On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you 
can find a patch for OpenSSH 4.5p1.

Most of PKCS#11 code is now moved to a standalone library which I call 
pkcs11-helper, this library is used by all projects that I added 
PKCS#11 support into. The library can be downloaded from:
http://www.opensc-project.org/pkcs11-helper

As a result the patch is much smaller now, and maybe I will be able to 
get some feedback from core OpenSSH developers? :)

The way identity is loaded now into the agent was modified, please 
refer to the README.pkcs11 for more details.

What I wish to discuss is how to further integrate it into OpenSSH, so 
far I touched the minimum required code (ssh-agent, ssh-add). But I 
would like to discuss a configuration file support for ssh-agent in 
order to allow it to load providers on startup, and maybe the use of 
PKCS#11 in none-agent configurations.

But the most important issue is how to handle dynamic PIN entry... 
Current protocol between the ssh and the agent assume that keys are 
always authenticated, but what happens if a smartcard is removed and 
inserted? The agent must un-authenticate the key, and a PIN should be 
prompted at next usage. So I think that the ssh-agent protocol should 
be modified to allow application be notified that the requested key 
is unauthenticated, and support authentication verb.

What's new:

20070105
 - (alonbl) Removed pkcs11-helper since it is now a standalone 
library.
 - (alonbl) Default is PKCS#11 support is disabled, to enable 
configure
   with --with-pkcs11
 - (alonbl) Rebase with openssh-4.5p1.
 - (alonbl) Release 0.18

20061023
 - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
 - (alonbl) Release 0.17

20061020
 - (alonbl) Major modification of ssh-add command-line parameters.
   Now, a complete serialized certificate needs to be specified, this
   in order to allow people to add id without forcing card to be 
available.
   But to allow complete silent addition a certificate file also 
needed.
   --pkcs11-show-ids is used in order to get a list of resources.
   --pkcs11-add-id --pkcs11-id <serialized id> \
      [--pkcs11-cert-file <cert_file>]
 - (alonbl) PKCS#11 release 0.16

20061012
 - (alonbl) OpenSC bug workaround.
 - (alonbl) PKCS#11 release 0.15

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list