OpenSSH PKCS#11merge
Douglas E. Engert
deengert at anl.gov
Wed Sep 26 04:50:41 EST 2007
Iain Morgan wrote:
>
> Due to HSPD-12, US government agencies are switching to the use
> of smartcards for authentication. (Some agencies havve already
> made this transition.) Presumably any improvements in the
> smartcard support that OpenSSH offers would be useful.
Another way to do this especially with HSPD-12 PIV cards is via Kerberos.
Over the last few years, I have been working on the combination of
kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate
to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC
PKCS#11. OpenSC has support for the PIV cards.
http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV
With this combination there are no changes to SSH as it would use
the existing Kerberos via GSS.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list