Subject: Re: Adding OpenSSLengine support to libssh2

Re: Adding OpenSSLengine support to libssh2

From: Peter Stuge <peter_at_stuge.se>
Date: Mon, 15 Feb 2010 14:41:24 +0100

Hej Lars,

Lars Nordin wrote:
> I'm planning to use libssh2 for an SSH klient. I will use
> smartcards for the private keys, support for the SC is implemented
> as an OpenSSL engine.

Have you taken a look at the OpenSC project?

http://opensc-project.org/

Please join the mailing list.

> Therefore I will add OpenSSL Engine support in libssh2 and also
> make some other changes, like support for an entrophy-file (like
> OpenSSH's .rnd file).
..
> My question is if there is anyone that have done any OpenSSL engine
> work previous in libssh2?

Not in libssh2, but I've been with the OpenSC project for some time,
and it has an engine.

Simon Josefsson wrote:
> > Therefore I will add OpenSSL Engine support in libssh2
>
> Hi! Why is that needed? What's wrong with using the SSH agent
> interface for dealing with smartcards?

I agree with Simon. I think the best way would be to use the agent
interface, and adapt or create an SSH agent to support your cards.

OpenSC is basically a generic PKCS#11 driver for many different card
OSes. It also includes PKCS#15 emulation for many (most) cards, which
do not use that layout natively.

There have been patches for many years to add PKCS#11 support into
OpenSSH but there is not quite enough momentum for those patches to
become integrated. Only one hero (Alon Bar-Lev) is really pushing for
the integration and has produced the code although I am sure that
many people would appreciate if it was added.

I think it is slowly on it's way, but it would be good to have more
motivated developers help make it happen. The rabbit hole goes over
into OpenBSD also - which is the upstream for OpenSSH-portable which
is what most of us are running - and PKCS#11 acceptance is I guess
slow there.

Maybe you feel committed to *only* maintaining your card driver as an
OpenSSL engine, but I would like to suggest that you move it over
into OpenSC instead. There are already several glue packages to use
OpenSC as p11, engine, CSP, tokend, and more.

//Peter
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-02-15