OpenSSH PKCS#11merge

Douglas E. Engert deengert at
Wed Sep 26 04:50:41 EST 2007

Iain Morgan wrote:
> Due to HSPD-12, US government agencies are switching to the use
> of smartcards for authentication. (Some agencies havve already
> made this transition.) Presumably any improvements in the
> smartcard support that OpenSSH offers would be useful.

Another way to do this especially with HSPD-12 PIV cards is via Kerberos.
Over the last few years, I have been working on the combination of
kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate
to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC
PKCS#11. OpenSC has support for the PIV cards.

With this combination there are no changes to SSH as it would use
the existing Kerberos via GSS.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list