smartcard keys and the ssh-agent

To: ietf-ssh%NetBSD.org@localhost
Subject: smartcard keys and the ssh-agent
From: Nils Larsch <larsch%trustcenter.de@localhost>
Date: Tue, 16 Sep 2003 11:59:08 +0200

Hi,

in the last/current draft of the 'Secure Shell Authentication
Agent Protocol' the only way to add a new key to the ssh-agent is
by sending the private key blob to the agent. If the key is stored
in a smartcard and if it's not extractable this is not possible
(at least if the normal private key blobs for rsa keys etc. are
used). What about adding an additional message to the agent
protocol to deal with hardware keys, for example something like
this:
....
#define SSH_AGENT_ADD_PKCS11_KEY 214

byte    SSH_AGENT_ADD_PKCS11_KEY
uint32  pkcs11 slot id
string  pkcs11 CKA_Id
string  pin
.... 0, 1 or several constraints follow

Another possibility would be to define special private key blobs
for hardware keys containing, for example, the slot id etc.

Comments etc. are welcome

Nils

Follow-Ups:
- Re: smartcard keys and the ssh-agent
  - From: Jon Bright

Prev by Date: Agent draft
Next by Date: Re: smartcard keys and the ssh-agent
Previous by Thread: Agent draft
Next by Thread: Re: smartcard keys and the ssh-agent
Indexes:

Home | Main Index | Thread Index | Old Index