OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at
Thu Sep 27 18:28:22 EST 2007


On 9/25/07, Douglas E. Engert <deengert at> wrote:
> Another way to do this especially with HSPD-12 PIV cards is via Kerberos.
> Over the last few years, I have been working on the combination of
> kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate
> to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC
> PKCS#11. OpenSC has support for the PIV cards.

Kerberos is a single point of failure in term of availability and security.
Even if Kerberos is a good solution for one domain network, how can
you access foreign networks?
And even if you Kerberos the whole world... How can you securely
access the Kerberos KDC when the KDC is down?

Just like OpenSSH can access file based keys it should be able to use
smarcard based keys and PKCS#11 is the common interface to access

Best Regards,
Alon Bar-Lev.

More information about the openssh-unix-dev mailing list