[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 30 16:03:10 EST 2008


--- Comment #53 from Alon Bar-Lev <alon.barlev at gmail.com>  2008-06-30 16:03:05 ---
(In reply to comment #52)
> What defines a "smartcard session"?

The provider/card derived from security constraint for key usage. For
example, there are keys that may only be used once after authentication
or there may be a timeout of 1 minutes for private key operations and
then force re-authentication.

> As for poweroff/removal, the cleanest way to deal with these is simply
> to invalidate all keys that were hosted on the card and force the user
> to re-add them.

This is the source of the difference between hardware cryptography and
software cryptography.

In many cases the smartcard is also used in order to open the door to
one's office. So even when you go to drink some water you have to take
the smartcard with you. And if you have several computers (disconnected
from each other) you need to remove the card from one computer and
insert it into another to switch computers.

Removing and inserting smartcard is frequent, forcing the user to take
action or invalidate sessions because of it makes the complex
environment to be even more difficult to handle.

Just imagine that you need to re-add keys to the agent every time you
return to your computer after being away from it even few steps!

Specifying the PIN when you add the key into the agent will be good as
long as the smartcard is not removed. It is security risk as if one
find other smartcard and plug it in, he should not be able to use its

The behavior of dynamic "need token", "need passphrase" was
successfully tested and accepted by users who use this patch, use the
OpenVPN, GnuPG scd do ask passphrase correctly but fails if token is
not available (but it does not have sessions), eCryptfs, QCA based
(PSI, Iris and I hope soon KDE).

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list