Hi all,
a modified version of the OpenSSH client programs
has been released on the Smart Sign Web Site
http://smartsign.sourceforge.net
that uses Muscle Card Edge technology. It directly
generates an OpenSSH private key on to a JavaCard
2.1.1 compliant smart card (using CardEdge key generation
facility) and uses it from the card itself.
Private key can never get compromised after generation !
The code has been integrated into OpenSSH sources so
to allow normal OpenSSH behaviour. Smartcards are used
only if required by the user using special command line
options.
This package has been compiled and tested on Win2K platform,
too (using CygWin).
Feedback is welcome !
Details follow. Bye,
Tommaso.
----------
SUMMARY OF CHANGES:
- Requires PCSC-Lite, a PCSC reader driver and
MuscleCard API Toolkit (it also requires a smart
card reader and its driver for PCSC-Lite and
a JavaCard-2.1.1 compliant smart card with
the Card Edge Applet already pre-loaded).
- Enabling Card Edge module during configuration
./configure --with-musclecard=path (defaults to /usr/local)
- Building modified programs
. make ssh-agent
. make ssh-add
. make ssh-keygen
(you can also try a single make)
** DO NOT TRY TO BUILD OTHER OPEN-SSH PROGRAMS, PLEASE **
** On Windows, type make ssh-agent.exe, ...
- ssh-agent
. Launch as usual, here you don't need anything special
- ssh-add
. Launch with the '-sc' option to add the smartcard
identity: you will be prompted with smartcard PIN
. Launch as usual to add other (file) identities
. Use 'ssh-add -L' to view all the loaded identities
(also the SC)
. After adding the identity, use the NORMAL ssh client
to connect to a remote server using the
smartcard
- ssh-keygen
. Launch with the '-t rsa-sc' option to generate a
keypair and store it on the smartcard. Please, note
that after key generation the program will fail,
but key generation/storing process would be fine.
Try a 'eval `./ssh-agent`; ssh-add -L' to view
new identity public information
. Launch as usual to generate file-based key pairs.
. Sorry, this is really unfinished, yet. I couldn't
figure out how to embed the key generation process
in the OpenSSH framework...
- Customizing behaviour
This module uses card PIN and public and private key
numbers as specified in the file rsa_sc.c, under the
"Customization options" section. You can change their
values if you need it.
- Note
This module does not use any certificates for key
management.
- For further information, please, refer to the SmartSign
mailing list:
smartsign-users at lists.sourceforge.net
--
/------------------------------------------------\
| Dr. Tommaso Cucinotta <t.cucinotta at sssup.it> |
+------------------------------------------------+
| Scuola Superiore di Studi Universitari |
| e Perfezionamento S.Anna |
| Pisa Italy |
\------------------------------------------------/