OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at gmail.com
Sat Sep 29 18:08:23 EST 2007


Hello OpenSSH developers,

Please response, a reject is also a valid response...
For the last year or so, I did not received any formal response.

Please note that, for example, redhat[1] is patching OpenSSH with nss
to work with PKCS#11, which is a *HUGE* overhead/overcomplex.

This is required functionality and having each distribution introduce
its own solution is not good solution for the end users.

Best Regards,
Alon Bar-Lev.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=186469

On 9/25/07, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>
> [[Sending again, as for some strange reason it is not accepted]]
>
> Hello OpenSSH developers,
>
> I maintain external patch for PKCS#11 smartcard support into
> OpenSSH[1] , many users already apply and use this patch.
>
> I wish to know if anyone is interesting in working toward merging this
> into mainline.
>
> I had some discussion with Damien Miller, but then he disappeared.
>
> Having standard smartcard interface will enable many users to have
> more secure environment, without the need to acquire card of specific
> vendor.
>
> In order to merge it cleanly, we should also discuss a modification
> for the agent protocol. As smartcards are dynamic in nature, there
> should be an option for the agent to ask the caller to provide
> information, for example "Insert token <xxx>" or "Please enter
> passphrase for token <xxx>". Current implementation does not modify
> the agent protocol but execute dialog from within the agent.
>
> Best Regards,
> Alon Bar-Lev
>
> [1] http://alon.barlev.googlepages.com/openssh-pkcs11
>


More information about the openssh-unix-dev mailing list