[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jun 18 15:22:28 EST 2008 

https://bugzilla.mindrot.org/show_bug.cgi?id=1371





--- Comment #42 from Alon Bar-Lev <alon.barlev at gmail.com>  2008-06-18 15:22:25 ---
Hello,

People are using smartcards without an agent. This is why I added
support for agent-less PKCS#11 as parameter -#.

Working in tty mode will not allow the askpass to work, although I have
an ncurses askpass implementation that is working, people want to use
OpenSSH without UI.

I wanted to replace current smartcard implementation with standard one,
without changing the way people use it. Andreas Jellinghaus was one of
the people who insisted that nobody will use this unless agent-less
configuration is supported.

Making OpenSSH support several agents is great! People will love it,
especially these who use OpenPGP smartcards and use the gnupg's
scdaemon.

But for this to be valid OpenSSH should provide a development
environment for agents, so that it will be easy to implement and
maintain an agent. For example, an agent library and headers with more
or less static interface should be installed with OpenSSH.

I already maintain gnupg's scdaemon replacement for PKCS#11 [1] as
Werner do not agree to merge PKCS#11 into mainline. And as there is no
agent library available I need to chase gnupg implementation and copy
relevant parts each time.

But there something to learn from gnupg... it always uses the agent, if
there is none it executes one for the current session. This allows
having simpler utilities and also the agent functionality without
modifying the utilities. Maybe you need to do the same for OpenSSH, so
that the whole private key logic will exist in one place. This and
multiple agent support will allow to extend OpenSSH better.

But while thinking of extending OpenSSH, a better test case for proper
agent support would be to allow, for example, X.509 patch to exist as a
separate agent. And maybe extend the agent interface to allow adding
new authentication algorithms. Then I am sure I will be able to provide
and external PKCS#11 agent implementation, as other people may provide
external GSSAPI agent implementation or any other.

Thanks,

[1] http://gnupg-pkcs11.sourceforge.net/

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list