Keith Henrickson <[EMAIL PROTECTED]> writes:
> I use SSH all the time to access a couple of secure systems that are
> accessable ONLY by SSH, and so I would find an SSH client that had
> been modified to fit on a smartcard to be very useful.
> 

As far as I understand it, the ssh client is *not* modified. Instead,
the ISO7xxx filesystem on the card is mounted into the standard
directory tree (say, under /var/smartcard), with a link from your
~home/.ssh/identity to /var/smartcard. ssh then accesses information on the
smartcard transparently, with an independent PIN-entry "popup" on the
controlling tty.

This means your ssh key is not stored on the usual filesystem (and
is not cached, either), but root can still steal it by reading from
the smartcard or by patching the userspace daemon that asks for your
passphrase.

You canīt have the RSA calculation done on the smartcard, either (thus
preventing yourkey from leaving the card)

Regards,
-- 
Jan Iven
Rechenzentrum, Universitaet des Saarlandes
Tel. ++49 +681 302-3623
Fax. ++49 +681 302-4462

***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************

Reply via email to