Hi all, I'm new to this mailing list, so I apologize if my question is "obsolete" for you. I'd like to know if anybody has a clear idea about how to connect smartcards to the SSH framework. I yet got a modified ssh-agent (by Stephen Pellicer) that uses SSP-Lite (CyberflexAccess driver by me) in order to use the smartcard instead of the HD files. Instead, I'd like to INTEGRATE that with the original, file-based, ssh environment. I'd like to know what do you think about this, and HOW the work should be accomplished, to maintain your kind of architecture (ssh-agent, ssh-add, ...). I'd like to know what PAM is used for, in the ssh framework, too (sorry if I missed some/many docs from your site). Many thanks in advance to everybody, bye, Tommaso Cucinotta. -- /------------------------------------------------\ | Dr. Tommaso Cucinotta <t.cucinotta at sssup.it> | +------------------------------------------------+ | Scuola Superiore di Studi Universitari | | e Perfezionamento S.Anna | | Pisa Italy | \------------------------------------------------/
On Tue, Oct 17, 2000 at 08:26:39PM +0200, Tommaso Cucinotta wrote:> I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. > > I yet got a modified ssh-agent (by Stephen Pellicer) > that uses SSP-Lite (CyberflexAccess driver by me) > in order to use the smartcard instead of the HD files.this is what i'm going to do and i think this is the best way to integrate smartcard support. do you have pointers to these modifciations or any other info?> Instead, I'd like to INTEGRATE that with the > original, file-based, ssh environment.how?> I'd like to know what do you think about this, and > HOW the work should be accomplished, to maintain > your kind of architecture (ssh-agent, ssh-add, ...).i don't understand what you exactly want... -markus
> From: Tommaso Cucinotta <t.cucinotta at sssup.it> > To: openssh-unix-dev at mindrot.org > Subject: Smartcards & SSH > > Hi all, > > I'm new to this mailing list, so I apologize if my question > is "obsolete" for you. > > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework.We use SecurID tokens via PAM and radius with OpenSSH on Solaris and Loonucks. Nothing fancy required to do this, just a PAM radius agent. Carl
On Tue, 17 Oct 2000, Tommaso Cucinotta wrote:> Hi all, > > I'm new to this mailing list, so I apologize if my question > is "obsolete" for you. > > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. > > I yet got a modified ssh-agent (by Stephen Pellicer) > that uses SSP-Lite (CyberflexAccess driver by me) > in order to use the smartcard instead of the HD files. > > Instead, I'd like to INTEGRATE that with the > original, file-based, ssh environment.What do you mean by this? Surely you would prefer to keep the keys (and preferably the action of signing) on the cards themselves?> I'd like to know what do you think about this, and > HOW the work should be accomplished, to maintain > your kind of architecture (ssh-agent, ssh-add, ...).Smartcard integration would best be done at the ssh-agent level. Since it already does the signing of challenges internally, is wouldn't be too much effort to hand this over to the card via pkcs#11 or whatever. You might need a ssh-keygen-smartcard, which would probably also pass the operations off to the card. If the cards that you are using don't do crypto, then you would probably best modify ssh-add to read the keys and hand them to ssh-agent. ssh-keygen would need to be modified to store its keys in the cards (or you could use a transfer utility).> I'd like to know what PAM is used for, in the ssh > framework, too (sorry if I missed some/many docs > from your site).PAM support is used for password authentication and enforcing account restrictions. Some work in underway for more complete PAM support using SSH2's kbd-interactive authentication mode. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | <djm at mindrot.org> | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org
On Tue, 17 Oct 2000, Tommaso Cucinotta wrote:> Hi all, ><snip>> I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework.<snip> There's a guy here CSC.fi that has implemented a system which allows users to use their 'social-security card' that is now starting to get out to people here in Finland. The card has some keys on it, and they are then used to authenticate the user. The patches you can get from there are against ssh-1.2.25, but you'll get the general idea from there... Have fun :) Here's the URL: http://www.csc.fi/~jmaki/fineid/ Harald H Hannelius | Harald at iki.fi | GSM +358405470870
> From: Damien Miller <djm at mindrot.org> > To: Tommaso Cucinotta <t.cucinotta at sssup.it> > Cc: Markus Friedl <markus.friedl at informatik.uni-erlangen.de>, > openssh-unix-dev at mindrot.org, carl at bl.echidna.id.au > Subject: Re: Smartcards & SSH > X-Paranoia: just because you're paranoid doesn't mean they aren't out to get you > MIME-Version: 1.0 > Status: RO > > On Wed, 18 Oct 2000, Tommaso Cucinotta wrote: > > > > i don't understand what you exactly want... > > > > What I was meaning is that I'd like not to have separate > > applications to start for smartcard-aware SSH and "normal" > > file-based SSH. > > > > I would prefer a solution that allows a user to launch > > his ssh-agent, then ssh-add a smartcard's key (just tell > > the agent HOW to use the key with the SC, not giving > > the key to the agent itself), and use ssh in the usual > > way, except that I should enter smartcard's PIN instead > > of the private key's passphrase. > > > > So the problem is: is out there anybody who can give me > > hints/suggestions about > > > > 1. how to incorporate a sort of "modularity" in SSH Agent, in > > such a way that it uses "cryptographic modules" to make > > authentication, indipendently of the way such modules > > operate (it seems that the separation between ssh and > > ssh-agent wants to achieve just this, but know I have > > this problem of the "agent modularity"). Maybe that > > PKCS#11 is a (Netscape-like) reasonable solution ? > > PKCS11 is how you would talk to the smartcards, you also need > to modify ssh-agent so it knows which keys are in memory and > which keys can be accessed through pkcs11. > > Do you want to use the card as a keystore, or do you want > to sign challenges on the card? > > > 2. how could PAM be used to achieve the task. Does ssh-agent, > > by now, use PAM at all ? Is there a way to use PAM to > > achieve the agent's modularity ? > > No - PAM deals with system authentication and knows nothing about > crypto keys. There has been talk of a PAM module that does RSA > authentication, but I haven't seen it yet. > > > 3. What is a PAM radius agent and a SecurID token (I refer > > to "carl at bl.echidna.id.au"'s message) ? > > SecurID is a token based one-time-password system. The PAM radius > module is used to talk to the proprietary SecurID server. > > BTW where can I find this PAM radius module? The docs on the one I > have say that it only does RADIUS accounting.http://www.freeradius.org/pam_radius_auth/ If you're using it with (for example) SecurID, you need to hack it to put the radius packet session sequence number into a file (and lock it, and atomically update it etc.) - the original just makes up a sequence number 'at random', but as the range is only 0..255, collisions (and therefore failed logins) are quite possible. Carl