Alon Bar-Lev
2007-Jan-05 16:21 UTC
Announce: PKCS#11 support version 0.18 in OpenSSH 4.5p1
Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.5p1. Most of PKCS#11 code is now moved to a standalone library which I call pkcs11-helper, this library is used by all projects that I added PKCS#11 support into. The library can be downloaded from: http://www.opensc-project.org/pkcs11-helper As a result the patch is much smaller now, and maybe I will be able to get some feedback from core OpenSSH developers? :) The way identity is loaded now into the agent was modified, please refer to the README.pkcs11 for more details. What I wish to discuss is how to further integrate it into OpenSSH, so far I touched the minimum required code (ssh-agent, ssh-add). But I would like to discuss a configuration file support for ssh-agent in order to allow it to load providers on startup, and maybe the use of PKCS#11 in none-agent configurations. But the most important issue is how to handle dynamic PIN entry... Current protocol between the ssh and the agent assume that keys are always authenticated, but what happens if a smartcard is removed and inserted? The agent must un-authenticate the key, and a PIN should be prompted at next usage. So I think that the ssh-agent protocol should be modified to allow application be notified that the requested key is unauthenticated, and support authentication verb. What's new: 20070105 - (alonbl) Removed pkcs11-helper since it is now a standalone library. - (alonbl) Default is PKCS#11 support is disabled, to enable configure with --with-pkcs11 - (alonbl) Rebase with openssh-4.5p1. - (alonbl) Release 0.18 20061023 - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd. - (alonbl) Release 0.17 20061020 - (alonbl) Major modification of ssh-add command-line parameters. Now, a complete serialized certificate needs to be specified, this in order to allow people to add id without forcing card to be available. But to allow complete silent addition a certificate file also needed. --pkcs11-show-ids is used in order to get a list of resources. --pkcs11-add-id --pkcs11-id <serialized id> \ [--pkcs11-cert-file <cert_file>] - (alonbl) PKCS#11 release 0.16 20061012 - (alonbl) OpenSC bug workaround. - (alonbl) PKCS#11 release 0.15 Best Regards, Alon Bar-Lev.
Apparently Analagous Threads
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- [ANNOUNCE] PKCS#11 support in OpenSSH 4.3p2 (version 0.11)
- Outstanding PKCS#11 issues
- openssh PKCS#11 support