PKCS11: selecting which key to use

NdK ndk.clanbo at gmail.com
Thu Feb 17 22:49:50 EST 2011


Hello.

Just popping in (not subscribed, please CC) to ask if it's planned to
add "identity selection" when using a PKCS#11 provider.

To be more clear: I have a (working) reader+smartcard, handled by
 PKCS11Provider /usr/lib/opensc-pkcs11.so
statement in config file.
Card is "formatted" w/ "pkcs15-init -C", and got a couple PINs, some
mail certs and some keypairs added.

Seems it works as expected *IF* the only (or first) on-card keypair is
the one to be used for SSH. If it's after other keys/certs there's no
way (I know of) to avoid testing all the preceeding keys (that's really
heavy: I have had 58 2048bit RSA keypairs on a single MyEID card during
test phase!).
The result is that I always get a "Too many authentication failures" error.

Maybe a semantic extension for '-i' parameter, to use the given key ID?

Please, don't tell me "use a card only for SSH"... That would be just a
workaround and a real waste (of money and resources)...

Tks.

BYtE!


More information about the openssh-unix-dev mailing list