smart cards (was: OpenSSH daemon security bug?)

Martin Paljak martin at paljak.pri.ee
Wed Jan 6 19:59:04 EST 2010


On 06.01.2010, at 5:46, openssh-unix-dev-request at mindrot.org wrote:

> OpenSSH daemon security bug?


If you find find passwords and/or password protected keys not secure I would suggest using private keys on a smart card.

There's a bug(with patches) related to smart cards:
https://bugzilla.mindrot.org/show_bug.cgi?id=1371

I don't think that guessing about the protection of the private keys would make any sense. You can only be sure if you know that the private part of a keypair is well protected. Hints from the client can't be trusted either.


PKCS#11 is a well known, mature interface for interacting with cryptographic objects, there has been a patch for OpenSSH out there for years but no interest whatsoever to integrate it. Instead, OpenSSH directly links in an incomplete way against libopensc (OpenSC). OpenSC does not encourage linking against libopensc unless there is a reason to do it, which OpenSSH does not seem to have. It also limits OpenSSH smartcard support to only the set of cards supported by OpenSC (there are more PKCS#11 libraries out there)


Martin, OpenSC dev.
-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495






More information about the openssh-unix-dev mailing list