OpenSSH PKCS#11merge

Iain Morgan imorgan at
Fri Sep 28 01:42:06 EST 2007

On Thu, Sep 27, 2007 at 10:05:52 -0500, Douglas E. Engert wrote:
> I was responding to the poster who said he was interested in using PIV 
> cards.
> Based on the name of his organization, I know that they are looking at using
> the PIV cards with Kerberos and Active Directory, so I offered an 
> alternative
> way to use OpenSSH with Kerberos.

And your input was appreciated. I haven't been involved sufficiently
in the HSPD-12 planning, so I was concerned as to how OpenSSH would
fit into this brave new world. I expect that the Kerberos approach
will be used.

> This is not to say that its the only way. Adding your mods would be another.

Not having any first-hand experience with Kerberos, there might be some
cases where it could be problematic for us. I know some issues can be
addressed by cross-realm agreements, but we have users that ssh in
when on travel as well as users from academic or commercial sites that
may not have local Kerberos infrastructure. Since I'm Kerberos-ignorant,
there may already be ways to address these issues, but it would be
nice to have enhanced smartcard support as an alternative.


Iain Morgan

More information about the openssh-unix-dev mailing list