It would be nice if ssh could easily load extra PKCS#11 modules for use when authenticating. Currently you have to fiddle with modutil to add modules. Attached file adds a new option NSSModule which can be specified several times to add modules. The patch also modifies ssh so that it can start without a NSS database in ~/.ssh. (I sent you a mail about this some time ago, but I didn't get a reply so I'm trying adding a bug instead).
Created attachment 241861 [details] nssmodule.patch
(In reply to comment #0) > It would be nice if ssh could easily load extra PKCS#11 modules for use when > authenticating. Currently you have to fiddle with modutil to add modules. > > Attached file adds a new option NSSModule which can be specified several times > to add modules. The patch also modifies ssh so that it can start without a NSS > database in ~/.ssh. Seems useful. I'll merge it with the existing nss patch. > (I sent you a mail about this some time ago, but I didn't get a reply so I'm > trying adding a bug instead). I can't find the mail, it must have got lost somehow.
(In reply to comment #2) > > I can't find the mail, it must have got lost somehow. > I've resent it to you. Please ping me if it still doesn't show up.
Based on the date this bug was created, it appears to have been reported during the development of Fedora 8. In order to refocus our efforts as a project we are changing the version of this bug to '8'. If this bug still exists in rawhide, please change the version back to rawhide. (If you're unable to change the bug's version, add a comment to the bug and someone will change it for you.) Thanks for your help and we apologize for the interruption. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Ping! I sent a reply to the message about testing, but as the bug is still open I'm not sure if it got through. The patched rpm worked fine, so please add this patch to the stable package.
Reping. Is anyone keeping track of these bugs?
Created attachment 369436 [details] updated patch Updated patch that makes sure everything compiles without warnings or errors.
The patch is applied in openssh-5.3p1-10.fc13, can you test it, please.
Works like a charm.
This functionality will be discontinued due to massive upstrem changes in the key handling. There is now pkcs11 support by Alon Bar Lev instead.
Does this mean that Red Hat is abandoning the conversion to NSS? Doesn't seem sane to have two systems in place for smart card integration.
It means that the api changed in openssh 5.4 and until the new patch will be done there is no chance to use nss with openssh. There is a new api based on ssh-agent. If you have time to write it, I'll be pleased to add it to the package. I'm sorry but in the next month or two I have no time to develop it.
So this is just a temporary removal, caused by lack of resources? The reason I'm asking is that we hopped on the NSS bandwagon with the hope that there could be some exchange between us and Red Hat for the smart card work. I'm afraid we don't have any resources in the short term to fix the NSS patch, but I will add an internal bug for it and we might end up doing the work first.
(In reply to comment #16) > So this is just a temporary removal, caused by lack of resources? Yes The reason > I'm asking is that we hopped on the NSS bandwagon with the hope that there > could be some exchange between us and Red Hat for the smart card work. > > I'm afraid we don't have any resources in the short term to fix the NSS patch, > but I will add an internal bug for it and we might end up doing the work first. Thanks