20080424

 - (alonbl) Add scp -# parameter.

20080331

 - (alonbl) Rebase to openssh-4.9.

20080210

 - (alonbl) Fix typeo in add id message.

 - (alonbl) Release 0.23

20080109

 - (alonbl) More cleanups.

 - (alonbl) Add manpages updates.

 - (alonbl) Release 0.22

20080108

 - (alonbl) I was not aware of the fact that askpass can be

   used in the agent environment.

   The PKCS#11 patch now use the standard ssh-askpass interface.

   So you must have one available at your system.

   Removed the prompt-prog argument from ssh-add.

 - (alonbl) The patch is now a tarball with split patches.

 - (alonbl) Releae 0.21

20071229

 - (alonbl) Indent file to meet BSD styles.

 - (alonbl) Modify parameters (again) to meet BSD styles.

   I truly regret that I keep modifying the parameters, I believe

   this is not the last time, as I don't have full cooperation of

   upstream.

   Get provider keys:

   	Old:

		ssh-add --pkcs11-show-ids ...

	New:

		ssh-keygen -K provider_info

   Add key:

	Old:

		ssh-add --pkcs11-add-id ...

	New:

		ssh-add -I id [session_cache [cert_file]]

   Agentless operation (not recommended, OpenSC compatibility):

   	New:

		ssh -# provider_info ...

   Because I don't wish to add more switches, I added a format

   for provider information:

	lib[:prot_auth[:private_mode[:cert_is_private]]]

   For most implementations specify only the library name.

 - Rebase with openssh-4.7p1.

 - (alonbl) Release 0.20

20070209

 - (alonbl) Fixed typeo in X.509 detection, thanks for "Sandro Wefel".

 - (alonbl) Release 0.19

20070105

 - (alonbl) Removed pkcs11-helper since it is now a standalone library.

 - (alonbl) Default is PKCS#11 support is disabled, to enable configure

   with --with-pkcs11

 - (alonbl) Rebase with openssh-4.5p1.

 - (alonbl) Release 0.18

20061023

 - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.

 - (alonbl) Release 0.17

20061020

 - (alonbl) Major modification of ssh-add command-line parameters.

   Now, a complete serialized certificate needs to be specified, this

   in order to allow people to add id without forcing card to be available.

   But to allow complete silent addition a certificate file also needed.

   --pkcs11-show-ids is used in order to get a list of resources.

   --pkcs11-add-id --pkcs11-id <serialized id> \

      [--pkcs11-cert-file <cert_file>]

 - (alonbl) PKCS#11 release 0.16

20061012

 - (alonbl) OpenSC bug workaround.

 - (alonbl) PKCS#11 release 0.15

20060930

 - (alonbl) Some pkcs11-helper updates.

 - (alonbl) Rebase against 4.4p1.

 - (alonbl) PKCS#11 release 0.14

20060709

 - (alonbl) PKCS#11 fixed handling multiproviders.

 - (alonbl) PKCS#11 release 0.13

20060608

 - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing

   ssh-rsa id.

 - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument.

 - (alonbl) PKCS#11 release 0.12

20060527

 - (alonbl) PKCS#11 fix issues with gcc-2

 - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version.

 - (alonbl) PKCS#11 modified to match X.509-5.4 patch.

 - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out

   of X.509 certificate.

 - (alonbl) PKCS#11 release 0.11

20060419

 - (alonbl) PKCS#11 fix handling empty attributes.

 - (alonbl) PKCS#11 release 0.10

20060404

 - (alonbl) PKCS#11 code sync.

 - (alonbl) PKCS#11 release 0.09

The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys

and certificates (http://alon.barlev.googlepages.com/openssh-pkcs11).

Implementation is based on pkcs11-helper (http://www.opensc-project.org),

it allows using multiple PKCS#11 providers at the same time,  handling card

removal and card insert events, handling card re-insert to a different slot,

supporting session expiration.

A valid X.509 certificate should exist on the token, without X.509 support it is

exported as regular RSA key. Self-signed certificates are treated as RSA key and

not as X.509 RSA key.

If you like X.509 (http://roumenpetrov.info/openssh) support apply the X.509

patch AFTER the PKCS#11 patch. You may use -o PubkeyAlgorithms=ssh-rsa in order to

authenticate to none X.509 servers.

Please notice that a program such as x11-ssh-askpass must be installed on your system

to use smartcards with the agent.

Usage can be printed using the following commands:

$ ssh-keygen -h

$ ssh-add -h

$ ssh -h

A common scenario is the following:

$ ssh-agent /bin/sh

$ ssh-add -K /usr/lib/pkcs11/MyProvider.so

$ ssh-add -I 'serialized id'

$ ssh myhost

In order to see available objects, you can use:

$ ssh-keygen -K /usr/lib/pkcs11/MyProvider.so

In order to add id without accessing the token, you must put the certificate in

a PEM file and use:

$ ssh-add -I 'serialized id' -1 my.pem

Agentless configuration is also supported but not recommended, it loads all

available keys from provider:

$ ssh -# /usr/lib/pkcs11/MyProvider.so host1

In order to debug open two shells:

1$ rm -fr /tmp/s; ssh-agent -d -d -d -a /tmp/s

2$ SSH_AUTH_SOCK=/tmp/s; export SSH_AUTH_SOCK;

2$ [ssh-add]...