[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard interface will enable many users to have more secure environment, without the need to acquire card of specific vendor. In order to merge it cleanly, we should also discuss a modification for the agent protocol. As smartcards are dynamic in nature, there should be an option for the agent to ask the caller to provide information, for example "Insert token <xxx>" or "Please enter passphrase for token <xxx>". Current implementation does not modify the agent protocol but execute dialog from within the agent. Best Regards, Alon Bar-Lev [1] http://alon.barlev.googlepages.com/openssh-pkcs11
Yeah, that would be very usefull to have pkcs11 interface out of box, so I could pkg_add opensc on fresh openbsd box and use smart card for authentication. This patching thing is overkill. Why not to incorporate it into openssh? pkcs11 is open standart and patch is bsd licensed, right?
On 9/25/07, Richard Storm <storm.richard at gmail.com> wrote:> Yeah, that would be very usefull to have pkcs11 interface out of box, > so I could pkg_add opensc on fresh openbsd box and use smart card for > authentication. > This patching thing is overkill. > Why not to incorporate it into openssh? pkcs11 is open standart and > patch is bsd licensed, right?Yes. The patch and the pkcs11-helper library both BSD licensed. Alon.
On Tue, Sep 25, 2007 at 08:33:44 +0300, Alon Bar-Lev wrote:> > [[Sending again, as for some strange reason it is not accepted]] > > Hello OpenSSH developers, > > I maintain external patch for PKCS#11 smartcard support into > OpenSSH[1] , many users already apply and use this patch. > > I wish to know if anyone is interesting in working toward merging this > into mainline. > > I had some discussion with Damien Miller, but then he disappeared. > > Having standard smartcard interface will enable many users to have > more secure environment, without the need to acquire card of specific > vendor. > > In order to merge it cleanly, we should also discuss a modification > for the agent protocol. As smartcards are dynamic in nature, there > should be an option for the agent to ask the caller to provide > information, for example "Insert token <xxx>" or "Please enter > passphrase for token <xxx>". Current implementation does not modify > the agent protocol but execute dialog from within the agent. > > Best Regards, > Alon Bar-Lev > > [1] http://alon.barlev.googlepages.com/openssh-pkcs11Due to HSPD-12, US government agencies are switching to the use of smartcards for authentication. (Some agencies havve already made this transition.) Presumably any improvements in the smartcard support that OpenSSH offers would be useful. -- Iain Morgan
Iain Morgan wrote:> > Due to HSPD-12, US government agencies are switching to the use > of smartcards for authentication. (Some agencies havve already > made this transition.) Presumably any improvements in the > smartcard support that OpenSSH offers would be useful.Another way to do this especially with HSPD-12 PIV cards is via Kerberos. Over the last few years, I have been working on the combination of kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC PKCS#11. OpenSC has support for the PIV cards. http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV With this combination there are no changes to SSH as it would use the existing Kerberos via GSS.>-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Hello, On 9/25/07, Douglas E. Engert <deengert at anl.gov> wrote:> Another way to do this especially with HSPD-12 PIV cards is via Kerberos. > Over the last few years, I have been working on the combination of > kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate > to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC > PKCS#11. OpenSC has support for the PIV cards.Kerberos is a single point of failure in term of availability and security. Even if Kerberos is a good solution for one domain network, how can you access foreign networks? And even if you Kerberos the whole world... How can you securely access the Kerberos KDC when the KDC is down? Just like OpenSSH can access file based keys it should be able to use smarcard based keys and PKCS#11 is the common interface to access smartcards. Best Regards, Alon Bar-Lev.
Alon Bar-Lev wrote:> Hello, > > On 9/25/07, Douglas E. Engert <deengert at anl.gov> wrote: >> Another way to do this especially with HSPD-12 PIV cards is via Kerberos. >> Over the last few years, I have been working on the combination of >> kinit or pam_krb5 with Heimdal or MIT Kerberos using PKINIT to authenticate >> to a KDC: Heimdal, MIT or AD. The Kerberos client would use the OpenSC >> PKCS#11. OpenSC has support for the PIV cards. > > Kerberos is a single point of failure in term of availability and security. > Even if Kerberos is a good solution for one domain network, how can > you access foreign networks? > And even if you Kerberos the whole world... How can you securely > access the Kerberos KDC when the KDC is down? > > Just like OpenSSH can access file based keys it should be able to use > smarcard based keys and PKCS#11 is the common interface to access > smartcards.I was responding to the poster who said he was interested in using PIV cards. Based on the name of his organization, I know that they are looking at using the PIV cards with Kerberos and Active Directory, so I offered an alternative way to use OpenSSH with Kerberos. This is not to say that its the only way. Adding your mods would be another.> > Best Regards, > Alon Bar-Lev. > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Hello OpenSSH developers, Please response, a reject is also a valid response... For the last year or so, I did not received any formal response. Please note that, for example, redhat[1] is patching OpenSSH with nss to work with PKCS#11, which is a *HUGE* overhead/overcomplex. This is required functionality and having each distribution introduce its own solution is not good solution for the end users. Best Regards, Alon Bar-Lev. [1] https://bugzilla.redhat.com/show_bug.cgi?id=186469 On 9/25/07, Alon Bar-Lev <alon.barlev at gmail.com> wrote:> > [[Sending again, as for some strange reason it is not accepted]] > > Hello OpenSSH developers, > > I maintain external patch for PKCS#11 smartcard support into > OpenSSH[1] , many users already apply and use this patch. > > I wish to know if anyone is interesting in working toward merging this > into mainline. > > I had some discussion with Damien Miller, but then he disappeared. > > Having standard smartcard interface will enable many users to have > more secure environment, without the need to acquire card of specific > vendor. > > In order to merge it cleanly, we should also discuss a modification > for the agent protocol. As smartcards are dynamic in nature, there > should be an option for the agent to ask the caller to provide > information, for example "Insert token <xxx>" or "Please enter > passphrase for token <xxx>". Current implementation does not modify > the agent protocol but execute dialog from within the agent. > > Best Regards, > Alon Bar-Lev > > [1] http://alon.barlev.googlepages.com/openssh-pkcs11 >
Hi! Actually yes first rejects were sent and fixed [1]. Waiting for next pass. Alon. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=1371 On 5/4/08, David Smith <dds at google.com> wrote:> Ping. It's been a while but any progress on this? > > 2008/02/26 (Tue) 16:35:37 ? Alon Bar-Lev ????????: > > > On 2/26/08, Peter Stuge <stuge-openssh-unix-dev at cdy.org> wrote: > > > Just a note to say that I've pushed the question to a friend of mine > > > who knows OBSD hardware crypto people. > > > > Thanks! > > Is there anything I can do to push this further? > > Is something missing? Need some more information? > > > > Alon. > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > man perl | tail -6 | head -2 > >
On Sun, May 04, 2008 at 08:25:20AM +0300, Alon Bar-Lev wrote:> Actually yes first rejects were sent and fixed [1].Good comments. Damien, my take on this is that as much as possible (everything) should go into upstream OpenSSH. PKCS#11 should be nothing special for -portable. //Peter