[Bug 1371] Add PKCS#11 (Smartcards) support into OpenSSH

Mon Aug 17 16:27:51 EST 2009

https://bugzilla.mindrot.org/show_bug.cgi?id=1371

Martin Paljak <martin at paljak.pri.ee> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin at paljak.pri.ee

--- Comment #60 from Martin Paljak <martin at paljak.pri.ee> 2009-08-17 16:27:50 EST ---
(In reply to comment #50)
> Better IMO to cache the pin in the agent at the time the key is added -
> this is what the existing smartcard support does. Caching the pin in
> the agent is no additional security risk - if the agent host were
> compromised then an attacker could just as easily steal the pin when it
> was used.
PIN caching (or the assumption that this is the always right thing to
do) is something that usually breaks secure PIN entry (pinpads). As
Alon said, caching PINs is something that requires argumentation,
documentation and a really good reason in the first place.

Upgrading to smart cards often translates from "we have keyfiles with
passwords" to "we have smart cards with pins", which seems to nicely
fit into the existing architecture/api, but totally forgets pinpad
readers which is a reason they hardly ever work as expected on Linux
(or OS X, or Windows ...)

It has been two years since the initial post + patches, what has
been/can be done to get this thing moving forward?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.