openssh and pkcs#11

Alon Bar-Lev alon.barlev at gmail.com
Wed Oct 12 02:19:20 EST 2005


Hello Andreas,

On 10/11/05, Andreas Jellinghaus <aj at dungeon.inka.de> wrote:
> Peter Koch pointed me to your posting on openssh-devel mailing list.

I am very glad that he did.

> I'm one of the opensc people, and from my point of view your idea
> is a good one. The current openssh-opensc code has a number of issues,
> for example the ssh-agent does not test the pin properly or ssh does
> not ask for a pin, unless patched. Also the ssh-agent does not forget
> the pin if the card is removed :(
>
> So I think it is a good idea to move from opensc interface to pkcs#11
> and new code with - I hope :) - those issues fixed.

I think the main reason to go into PKCS#11 is that it is more
standard, and widely supported... Opensc is a good project 
to support
PKCS#15 smartcards... But PKCS#11 is the right way to go 
when dealing
with applications. The fact that opensc supports PKCS#11 
(Not very
well... but support) making the decision easier.

> Your comment on libp11 is right. currently we only made
> the code we used elsewhere a standalone project, and haven't given
> it much thought or work. I think the idea of having a common library
> is good, to minimize code duplication (and using pkcs#11 directly is
> not that easy). But that doesn't mean it is tied to the current code.
> That code is only what was available at no cost.

Yes... I figured it out... This is why I didn't use it.
But I don't agree that using PKCS#11 directly is not that 
easy...
PKCS#11 is quite simple API...
The complex issue is to integrate with openssl... without 
overhead of
reloading objects...
Another issue is to deal with prompting the user to insert 
his card...
Also, it is very difficult to support plug&play environment...
All these almost always must be dealt in application level...

> Feedback on improving libp11 is always welcome, or even suggestions
> for a total replacement.

OK...  I will send them off-topic.

> anway, back to the main issue: if you implement pkcs#11 support for
> openssh, I would be very interested in testing and using it.
> If there is anything I can help with, please let me know.
> (but I'm quite busy at the moment with opensc and stuff, but I hope
> once we have the next release out of the door that will improve.)

Thanks!!!
But I still did not receive the OK I need in order to start 
develop
openssh support for PKCS#11.
I am still waiting...

Best Regards,
Alon Bar-Lev




More information about the openssh-unix-dev mailing list