OpenSSH PKCS#11merge

Douglas E. Engert deengert at
Fri Sep 28 01:05:52 EST 2007

Alon Bar-Lev wrote:
> Hello,
> On 9/25/07, Douglas E. Engert <deengert at> wrote:
>> Another way to do this especially with HSPD-12 PIV cards is via Kerberos.
>> Over the last few years, I have been working on the combination of
>> kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate
>> to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC
>> PKCS#11. OpenSC has support for the PIV cards.
> Kerberos is a single point of failure in term of availability and security.
> Even if Kerberos is a good solution for one domain network, how can
> you access foreign networks?
> And even if you Kerberos the whole world... How can you securely
> access the Kerberos KDC when the KDC is down?
> Just like OpenSSH can access file based keys it should be able to use
> smarcard based keys and PKCS#11 is the common interface to access
> smartcards.

I was responding to the poster who said he was interested in using PIV cards.
Based on the name of his organization, I know that they are looking at using
the PIV cards with Kerberos and Active Directory, so I offered an alternative
way to use OpenSSH with Kerberos.

This is not to say that its the only way. Adding your mods would be another.

> Best Regards,
> Alon Bar-Lev.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list