[ANNOUNCE] PKCS#11 support in OpenSSH 4.3p2 (version 0.07)

Alon Bar-Lev alon.barlev at gmail.com
Mon Feb 13 06:08:02 EST 2006 

Hello,

The version 0.07 of "PKCS#11 support in OpenSSH" is published.

Changes:
1. Updated against OpenSSH 4.3p1.
2. Ignore '\r' at password prompt, cygwin/win32 password
prompt support.
3. Workaround for iKey PKCS#11 provider bug.
4. Some minor cleanups.
5. Allow clean merge of Roumen Petrov's X.509 patch (version
5.3) after this one.

[[[ The patch-set is too large for posting in the list... If
you are interested in review it, please send me an email
(mailto:alon.barlev at gmail.com) ]]]

I will appreciate any comments/suggestions.

Enjoy,
Alon Bar-Lev.

---

Instructions:

The PKCS#11 patch modify ssh-add and ssh-agent to support
PKCS#11 private keys and certificates.

It allows using multiple PKCS#11 providers at the same time,
selecting keys by id, label or certificate subject, handling
card removal and card insert events, handling card re-insert
to a different slot, supporting session expiration.

A valid X.509 certificate should exist on the token, without
X.509 support it is exported as regular RSA key. Self-signed
certificates are treated as RSA key and not as X.509 RSA
key. There is a simple utility Timo Felbinger wrote
(http://www.timof.qipc.org/x509toOpenSSH.c) that extracts
ssh public key from X.509 certificate.

If you like X.509 support apply the X.509 patch *AFTER* the
PKCS#11 patch.

One significant change is that the ssh-agent prompts for
passwords now... So you need to configure it with a program
that asks for card insert or PIN, a program such as
x11-ssh-askpass. Current implementation (ssh-add asks for
passwords) is not valid for dynamic smartcard environment.

Current implementation uses the askpin program also for
prompting card insert... Don't be confused, it only expects
ok or cancel, attached is a simple scripts that uses KDE and
.NET in order to display these dialogs.

You can view full usage by:
$ ssh-agent /bin/sh
$ ssh-add -h

A common scenario is the following:

$ ssh-agent /bin/sh
$ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh`
$ ssh-add --pkcs11-add-provider --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so
$ ssh-add --pkcs11-add-id --pkcs11-slot-type label
--pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id
"/C=XX/CN=YY"
$ ssh myhost

In order to see available objects, you can use:

$ ssh-add --pkcs11-show-slots --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so
$ ssh-add --pkcs11-show-objects --pkcs11-provider
/usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0

More information about the openssh-unix-dev mailing list