Re: PKCS#11 support for openssh

Dan C wrote:
> Alon, that's great - thank you for the update. It works perfectly in
> keeping with the old OpenSC support, but with the added flexibility of
> being able to use _any_ available PKCS#11 provider. A good improvement I
> feel.
>
> My only remaining thoughts echo that of Andreas's, in that it would be
> useful to have "direct" ssh(1) support. For both the ease of being able
> to choose ie. "ssh -I0 <host>" when you wish, as well as being able to
> hardset options to use card auth for specified hosts in ssh_config(5).
>
> Please feel free to pass my comments on to the list/Roumen/Andreas and
> by all means throw any further testing my way.
>
> Regards,
> Dan

Hello Dan,

I am glad that all works!

I agree that there should be a simple way to use ssh with
smartcard support... But I don't like current implementation
in which the code is written twice, once for the agent and
second for the ssh.

I think that ssh should always use the agent, and if not
available execute it (Or convert the agent to a library).
Then ssh can read the config file and add identities as if
the agent is external. This way the private key handling
will be implemented in one place....

When I get some kind of positive response from the openssh
developers, I will discuses what the user interface of the
PKCS#11 support should be and implement a more friendly
interface.

Best Regards,
Alon Bar-Lev.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev