OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at
Sat Sep 29 18:08:23 EST 2007

Hello OpenSSH developers,

Please response, a reject is also a valid response...
For the last year or so, I did not received any formal response.

Please note that, for example, redhat[1] is patching OpenSSH with nss
to work with PKCS#11, which is a *HUGE* overhead/overcomplex.

This is required functionality and having each distribution introduce
its own solution is not good solution for the end users.

Best Regards,
Alon Bar-Lev.


On 9/25/07, Alon Bar-Lev <alon.barlev at> wrote:
> [[Sending again, as for some strange reason it is not accepted]]
> Hello OpenSSH developers,
> I maintain external patch for PKCS#11 smartcard support into
> OpenSSH[1] , many users already apply and use this patch.
> I wish to know if anyone is interesting in working toward merging this
> into mainline.
> I had some discussion with Damien Miller, but then he disappeared.
> Having standard smartcard interface will enable many users to have
> more secure environment, without the need to acquire card of specific
> vendor.
> In order to merge it cleanly, we should also discuss a modification
> for the agent protocol. As smartcards are dynamic in nature, there
> should be an option for the agent to ask the caller to provide
> information, for example "Insert token <xxx>" or "Please enter
> passphrase for token <xxx>". Current implementation does not modify
> the agent protocol but execute dialog from within the agent.
> Best Regards,
> Alon Bar-Lev
> [1]

More information about the openssh-unix-dev mailing list