Menu
▾
▴
Re: [Opensc-devel] OpenSC at FOSDEM 2018
|
From: Jakub J. <jj...@re...> - 2018-01-09 09:31:56
|
On Sat, 2018-01-06 at 12:11 +0100, NdK wrote: > Il 05/01/2018 19:01, Bernd Eckenfels ha scritto: > > Hello, > > Did you try scdaemon (scenario 1 with SCd-PKCS11 should work with > > Firefox) > > https://github.com/sektioneins/scd-pkcs11/blob/master/README.md > > IIUC that's for GPG to use OpenSC-managed cards. > > Practical example. I have a MyEID cards where I load a couple of keys > for web auth (say work portal and CAcert), a key for mail signing > (X509), a key for SSH access and the 3 GPG keys (DEC, SIG, AUT, and > possibly the master C key too). > That's what I could do before problems started (I last tested quite > some > time ago, so it might a bit fuzzy). IIRC, if I had Firefox open I > couldn't access any key from other apps (including Thunderbird). > If I closed FF, then I could sign/decrypt mails in Thunderbird, but > either with X509 or GPG (Enigmail). And to use SSH I had to close TB, > too. > > Guess what's the "normal user" reaction? "fsck smartcards". > > Then an unrelated problem (that probably can't be fixed w/o changing > a > lot of things): CSSH. CSSH opens ssh sessions to a "cluster" of > machines > (I used it with 42 parallel sessions) and allows to send the same > commands to all the sessions. But if the ssh key is on card (and > noone > else is using it), it's simply too slow to handle such a batch of > requests and logins timeout. If I am right, this should be possible to handle with ssh-agent, if the initialization and keys listing overhead is too large. By loading the card into ssh-agent, the authentication then should be only the signature and therefore significantly faster. The "caching" from library point of view might be problematic, because you need to detect if it is still the same card or different with quite a confidence. For example OpenCryptoki is using client-server model, where pkcsslotd daemon can monitor and cache whatever is going on with the slot and card, such as watching remove and insert events and if there is none, just serve what was cached much faster. It probably has its disadvantages though. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
