Hello, The version 0.11 of "PKCS#11 support in OpenSSH" is published. Changes: 1. Updated against OpenSSH 4.3p2. 2. Modified against Roumen Petrov's X.509 patch (version 5.4), so self-signed certificates are treated by the X.509 patch now. 3. Added --pkcs11-x509-force-ssh if X.509 patch applied, until some issues with the X.509 patch are resolved. 4. Fixed issues with gcc-2. You can grab the new version from http://alon.barlev.googlepages.com/openssh-pkcs11. I will be glad to receive any feedback regarding this patch, so I will be able to adjust it closer to requirements, and extend the support for none-agent usage. The PKCS#11 support is provided by a pkcs11-helper implementation which is common for OpenVPN, QCA (Qt Cryptographic Architecture for KDE 4.0) and may be used by many other projects, one example is this patch for OpenSSH, there is also an initial support for xsupplicant and wpa_supplicant. Best Regards, Alon Bar-Lev. --- Instructions: The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys and certificates. It allows using multiple PKCS#11 providers at the same time, selecting keys by id, label or certificate subject, handling card removal and card insert events, handling card re-insert to a different slot, supporting session expiration. A valid X.509 certificate should exist on the token, without X.509 support it is exported as regular RSA key. There is a simple utility Timo Felbinger wrote (http://www.timof.qipc.org/x509toOpenSSH.c) that extracts ssh public key from X.509 certificate. If you like X.509 support apply the X.509 (>=5.4) patch *AFTER* the PKCS#11 patch. One significant change is that the ssh-agent prompts for passwords now... So you need to configure it with a program that asks for card insert or PIN, a program such as x11-ssh-askpass. Current implementation (ssh-add asks for passwords) is not valid for dynamic smartcard environment. Current implementation uses the askpin program also for prompting card insert... Don't be confused, it only expects ok or cancel, attached is a simple scripts that uses KDE and .NET in order to display these dialogs. You can view full usage by: $ ssh-agent /bin/sh $ ssh-add -h A common scenario is the following: $ ssh-agent /bin/sh $ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh` $ ssh-add --pkcs11-add-provider --pkcs11-provider /usr/lib/pkcs11/MyProvider.so $ ssh-add --pkcs11-add-id --pkcs11-slot-type label --pkcs11-slot "MyToken" --pkcs11-id-type subject --pkcs11-id "/C=XX/CN=YY" $ ssh myhost In order to see available objects, you can use: $ ssh-add --pkcs11-show-slots --pkcs11-provider /usr/lib/pkcs11/MyProvider.so $ ssh-add --pkcs11-show-objects --pkcs11-provider /usr/lib/pkcs11/MyProvider.so --pkcs11-slot 0 - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
