Announce: PKCS#11 support version 0.18 in OpenSSH 4.5p1

Alon Bar-Lev alon.barlev at
Sat Jan 6 03:21:58 EST 2007

Hi All,

The version of "PKCS#11 support in OpenSSH" is ready for download.
On download page you 
can find a patch for OpenSSH 4.5p1.

Most of PKCS#11 code is now moved to a standalone library which I call 
pkcs11-helper, this library is used by all projects that I added 
PKCS#11 support into. The library can be downloaded from:

As a result the patch is much smaller now, and maybe I will be able to 
get some feedback from core OpenSSH developers? :)

The way identity is loaded now into the agent was modified, please 
refer to the README.pkcs11 for more details.

What I wish to discuss is how to further integrate it into OpenSSH, so 
far I touched the minimum required code (ssh-agent, ssh-add). But I 
would like to discuss a configuration file support for ssh-agent in 
order to allow it to load providers on startup, and maybe the use of 
PKCS#11 in none-agent configurations.

But the most important issue is how to handle dynamic PIN entry... 
Current protocol between the ssh and the agent assume that keys are 
always authenticated, but what happens if a smartcard is removed and 
inserted? The agent must un-authenticate the key, and a PIN should be 
prompted at next usage. So I think that the ssh-agent protocol should 
be modified to allow application be notified that the requested key 
is unauthenticated, and support authentication verb.

What's new:

 - (alonbl) Removed pkcs11-helper since it is now a standalone 
 - (alonbl) Default is PKCS#11 support is disabled, to enable 
   with --with-pkcs11
 - (alonbl) Rebase with openssh-4.5p1.
 - (alonbl) Release 0.18

 - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
 - (alonbl) Release 0.17

 - (alonbl) Major modification of ssh-add command-line parameters.
   Now, a complete serialized certificate needs to be specified, this
   in order to allow people to add id without forcing card to be 
   But to allow complete silent addition a certificate file also 
   --pkcs11-show-ids is used in order to get a list of resources.
   --pkcs11-add-id --pkcs11-id <serialized id> \
      [--pkcs11-cert-file <cert_file>]
 - (alonbl) PKCS#11 release 0.16

 - (alonbl) OpenSC bug workaround.
 - (alonbl) PKCS#11 release 0.15

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list