Hi all,
as an example of SSP-Lite middleware, I modified the
OpenSSH-2.9p2 sources to support Smart Cards.
The new module is just an experiment. It uses an
OpenSSL's new RSA method I built to communicate
with the smartcard through the SSP/PCSC stack
when normal OpenSSL RSA operations are invoked
by OpenSSH.
I couldn't embed the module as I wanted into the OpenSSH
sources because of the lack of generality of the "key.h"
interface. I have some ideas to change that.
If anybody is interested in using/testing/developing,
please write to the smartsign mailing list.
A quick overview of the module follows.
Thank you for your attention.
Best regards,
Tommaso Cucinotta.
************************************************************
This is a modified version of the OpenSSL 2.9p2 source tree,
containing an experimental, pre-pre-alpha, smartcard module
for use with SSP-Lite from the SmartSign project
(http://smartsign.sourceforge.net)
Summary of changes:
- Requires PCSC-Lite, a PCSC reader driver,
SSP-Lite and a SSP-Lite card driver (actually
only Schlumberger Cyberflex Access 16K supported)
- Enabling SSP-Lite module during configuration
./configure --with-ssplite
- Building modified programs
. make ssh-agent
. make ssh-add
. make ssh-keygen
** DO NOT TRY TO BUILD OTHER OPEN-SSH STUFF, PLEASE **
- ssh-agent
. Launch as usual, here you don't need anything special
- ssh-add
. Launch with the '-sc' option to add the smartcard
identity: you will be prompted with smartcard PIN
. Launch as usual to add other (file) identities
. Use 'ssh-add -L' to view the actual smartcard
identity
. After adding the identity, use the NORMAL ssh client
to connect to a remote server using the smartcard
- ssh-keygen
. Launch with the '-t rsa-sc' option to generate a
keypair and store it on the smartcard. Please, note
that after key generation the program will fail,
but key generation/storing process would be fine.
Try a 'eval `./ssh-agent`; ssh-add -L' to view
new identity public information
. Launch as usual to generate file-based key pairs.
. Sorry, this is really unfinished, yet. I couldn't
figure out how to embed the key generation process
in the OpenSSH framework...
- For further information, please, refer to the SmartSign
mailing list:
smartsign-users at lists.sourceforge.net
************************************************************
--
/------------------------------------------------\
| Dr. Tommaso Cucinotta <t.cucinotta at sssup.it> |
+------------------------------------------------+
| Scuola Superiore di Studi Universitari |
| e Perfezionamento S.Anna |
| Pisa Italy |
\------------------------------------------------/