openssh unix dev - Jan 2010 - smart cards (was: OpenSSH daemon security bug?)

On 06.01.2010, at 5:46, openssh-unix-dev-request at mindrot.org wrote:
> OpenSSH daemon security bug?

If you find find passwords and/or password protected keys not secure I would
suggest using private keys on a smart card.

There's a bug(with patches) related to smart cards:
https://bugzilla.mindrot.org/show_bug.cgi?id=1371

I don't think that guessing about the protection of the private keys would
make any sense. You can only be sure if you know that the private part of a
keypair is well protected. Hints from the client can't be trusted either.


PKCS#11 is a well known, mature interface for interacting with cryptographic
objects, there has been a patch for OpenSSH out there for years but no interest
whatsoever to integrate it. Instead, OpenSSH directly links in an incomplete way
against libopensc (OpenSC). OpenSC does not encourage linking against libopensc
unless there is a reason to do it, which OpenSSH does not seem to have. It also
limits OpenSSH smartcard support to only the set of cards supported by OpenSC
(there are more PKCS#11 libraries out there)


Martin, OpenSC dev.
-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

I thought the pkcs11 patches were already in.  What's the hold up?  Is it
the PIN caching, separation into an agent, or something else?

On Wed, Jan 06, 2010 at 07:40:22AM -0500, Jim Rees
wrote:
> I thought the pkcs11 patches were already in.  What's the hold up?  Is
it
> the PIN caching, separation into an agent, or something else?
last time i checked there have been some issues, including the size
of the patches, and that pkcs#11 support should replace both the
old opensc and openbsd only (#define SMARTCARD) code. the obsolete
code should go away.  moreover, -# is a poor choice for a command
line option; the problems with the agent protocol have not been
resolved, etc.  i'll try to work on this during the next weeks, but
right now i don't have working pkcs#11/smartcard gear on openbsd.

-m