Bugzilla – Attachment 1477 Details for
Bug 1371
Add PKCS#11 (Smartcards) support into OpenSSH
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
2000_all_pkcs11-docs.patch
2000_all_pkcs11-docs.patch (text/plain), 5.44 KB, created by
Alon Bar-Lev
on 2008-03-31 20:20:03 AEDT
(
hide
)
Description:
2000_all_pkcs11-docs.patch
Filename:
MIME Type:
Creator:
Alon Bar-Lev
Created:
2008-03-31 20:20:03 AEDT
Size:
5.44 KB
patch
obsolete
>[PATCH] PKCS#11 Documentations > >Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> > >--- > >diff -urNp dd/ChangeLog.pkcs11 docs/ChangeLog.pkcs11 >--- dd/ChangeLog.pkcs11 1970-01-01 02:00:00.000000000 +0200 >+++ docs/ChangeLog.pkcs11 2008-01-09 14:42:19.000000000 +0200 >@@ -0,0 +1,109 @@ >+20080331 >+ - (alonbl) Rebase to openssh-4.9. >+ >+20080210 >+ - (alonbl) Fix typeo in add id message. >+ - (alonbl) Release 0.23 >+ >+20080109 >+ - (alonbl) More cleanups. >+ - (alonbl) Add manpages updates. >+ - (alonbl) Release 0.22 >+ >+20080108 >+ - (alonbl) I was not aware of the fact that askpass can be >+ used in the agent environment. >+ The PKCS#11 patch now use the standard ssh-askpass interface. >+ So you must have one available at your system. >+ Removed the prompt-prog argument from ssh-add. >+ - (alonbl) The patch is now a tarball with split patches. >+ - (alonbl) Releae 0.21 >+ >+20071229 >+ - (alonbl) Indent file to meet BSD styles. >+ - (alonbl) Modify parameters (again) to meet BSD styles. >+ I truly regret that I keep modifying the parameters, I believe >+ this is not the last time, as I don't have full cooperation of >+ upstream. >+ Get provider keys: >+ Old: >+ ssh-add --pkcs11-show-ids ... >+ New: >+ ssh-keygen -K provider_info >+ Add key: >+ Old: >+ ssh-add --pkcs11-add-id ... >+ New: >+ ssh-add -I id [session_cache [cert_file]] >+ >+ Agentless operation (not recommended, OpenSC compatibility): >+ New: >+ ssh -# provider_info ... >+ >+ Because I don't wish to add more switches, I added a format >+ for provider information: >+ lib[:prot_auth[:private_mode[:cert_is_private]]] >+ For most implementations specify only the library name. >+ - Rebase with openssh-4.7p1. >+ - (alonbl) Release 0.20 >+ >+20070209 >+ - (alonbl) Fixed typeo in X.509 detection, thanks for "Sandro Wefel". >+ - (alonbl) Release 0.19 >+ >+20070105 >+ - (alonbl) Removed pkcs11-helper since it is now a standalone library. >+ - (alonbl) Default is PKCS#11 support is disabled, to enable configure >+ with --with-pkcs11 >+ - (alonbl) Rebase with openssh-4.5p1. >+ - (alonbl) Release 0.18 >+ >+20061023 >+ - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd. >+ - (alonbl) Release 0.17 >+ >+20061020 >+ - (alonbl) Major modification of ssh-add command-line parameters. >+ Now, a complete serialized certificate needs to be specified, this >+ in order to allow people to add id without forcing card to be available. >+ But to allow complete silent addition a certificate file also needed. >+ --pkcs11-show-ids is used in order to get a list of resources. >+ --pkcs11-add-id --pkcs11-id <serialized id> \ >+ [--pkcs11-cert-file <cert_file>] >+ - (alonbl) PKCS#11 release 0.16 >+ >+20061012 >+ - (alonbl) OpenSC bug workaround. >+ - (alonbl) PKCS#11 release 0.15 >+ >+20060930 >+ - (alonbl) Some pkcs11-helper updates. >+ - (alonbl) Rebase against 4.4p1. >+ - (alonbl) PKCS#11 release 0.14 >+ >+20060709 >+ - (alonbl) PKCS#11 fixed handling multiproviders. >+ - (alonbl) PKCS#11 release 0.13 >+ >+20060608 >+ - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing >+ ssh-rsa id. >+ - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument. >+ - (alonbl) PKCS#11 release 0.12 >+ >+20060527 >+ - (alonbl) PKCS#11 fix issues with gcc-2 >+ - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version. >+ - (alonbl) PKCS#11 modified to match X.509-5.4 patch. >+ - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out >+ of X.509 certificate. >+ - (alonbl) PKCS#11 release 0.11 >+ >+20060419 >+ - (alonbl) PKCS#11 fix handling empty attributes. >+ - (alonbl) PKCS#11 release 0.10 >+ >+20060404 >+ - (alonbl) PKCS#11 code sync. >+ - (alonbl) PKCS#11 release 0.09 >+ >diff -urNp dd/README.pkcs11 docs/README.pkcs11 >--- dd/README.pkcs11 1970-01-01 02:00:00.000000000 +0200 >+++ docs/README.pkcs11 2008-01-09 14:41:24.000000000 +0200 >@@ -0,0 +1,47 @@ >+The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys >+and certificates (http://alon.barlev.googlepages.com/openssh-pkcs11). >+ >+Implementation is based on pkcs11-helper (http://www.opensc-project.org), >+it allows using multiple PKCS#11 providers at the same time, handling card >+removal and card insert events, handling card re-insert to a different slot, >+supporting session expiration. >+ >+A valid X.509 certificate should exist on the token, without X.509 support it is >+exported as regular RSA key. Self-signed certificates are treated as RSA key and >+not as X.509 RSA key. >+ >+If you like X.509 (http://roumenpetrov.info/openssh) support apply the X.509 >+patch AFTER the PKCS#11 patch. You may use -o PubkeyAlgorithms=ssh-rsa in order to >+authenticate to none X.509 servers. >+ >+Please notice that a program such as x11-ssh-askpass must be installed on your system >+to use smartcards with the agent. >+ >+Usage can be printed using the following commands: >+$ ssh-keygen -h >+$ ssh-add -h >+$ ssh -h >+ >+A common scenario is the following: >+$ ssh-agent /bin/sh >+$ ssh-add -K /usr/lib/pkcs11/MyProvider.so >+$ ssh-add -I 'serialized id' >+$ ssh myhost >+ >+In order to see available objects, you can use: >+$ ssh-keygen -K /usr/lib/pkcs11/MyProvider.so >+ >+In order to add id without accessing the token, you must put the certificate in >+a PEM file and use: >+$ ssh-add -I 'serialized id' -1 my.pem >+ >+Agentless configuration is also supported but not recommended, it loads all >+available keys from provider: >+$ ssh -# /usr/lib/pkcs11/MyProvider.so host1 >+ >+In order to debug open two shells: >+1$ rm -fr /tmp/s; ssh-agent -d -d -d -a /tmp/s >+ >+2$ SSH_AUTH_SOCK=/tmp/s; export SSH_AUTH_SOCK; >+2$ [ssh-add]... >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1477">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1371
:
1444
|
1463
|
1464
|
1465
|
1466
|
1467
|
1468
|
1469
|
1470
|
1471
|
1477
|
1478
|
1484
|
1485
|
1486
|
1487
|
1488
|
1489
|
1490
|
1491
|
1492
|
1493
|
1494
|
1495
|
1496
|
1497
|
1547
|
1557
|
1558