OpenSSH PKCS#11merge

Alon Bar-Lev alon.barlev at
Tue Jan 1 01:53:43 EST 2008


Installed OpenBSD, applied this patch (ignore all missing files)
Add pkcs11.c into lib/Makefile.
Compile using:
CFLAGS="-DENABLE_PKCS11" LDFLAGS="-lpkcs11-helper" make

And it compiles and seems to be running.

The problem is that I don't have a working smartcard environment on OpenBSD.
Can anyone help?

Best Regards,
Alon Bar-Lev.

On 12/31/07, Alon Bar-Lev <alon.barlev at> wrote:
> Hello,
> Thanks for Ben help I released a new version of PKCS#11 patch, available from:
> Most of the work is *BSD coding styles, I also allocated short options
> for the parameters, as I understand now that long options are not
> valid and configuration file for the agent will not be available.
> There is an agentless configuration now, mainly to be OpenSC
> compatible. This is none recommended as it loads all available keys of
> a provided into ssh, and will prompt for passphrase every time ssh is
> executed.
> I hope we will be able to resolve the last issue... How the agent
> protocol can support dynamic nature of hardware cryptography... Or if
> there any other suggestions of how the expected behavior might be.
> Best Regards,
> Alon Bar-Lev.
> ---
> ChangeLog:
> 20071229
>  - (alonbl) Indent file to meet BSD styles.
>  - (alonbl) Modify parameters (again) to meet BSD styles.
>    I truly regret that I keep modifying the parameters, I believe
>    this is not the last time, as I don't have full cooperation of
>    upstream.
>    Get provider keys:
>         Old:
>                 ssh-add --pkcs11-show-ids ...
>         New:
>                 ssh-keygen -K provider_info
>    Add key:
>         Old:
>                 ssh-add --pkcs11-add-id ...
>         New:
>                 ssh-add -I id [session_cache [cert_file]]
>    Agentless operation (not recommended, OpenSC compatibility):
>         New:
>                 ssh -# provider_info ...
>    Because I don't wish to add more switches, I added a format
>    for provider information:
>         lib[:prot_auth[:private_mode[:cert_is_private]]]
>    For most implementations specify only the library name.
>  - Rebase with openssh-4.7p1.
>  - (alonbl) Release 0.20

More information about the openssh-unix-dev mailing list