Todd Denniston wrote, On 12/04/2007 04:52 PM:
From what I understood, the change to openssh listed in:
rpm -q --changelog openssh |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@xxxxxxxxxx> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the
shipped Fedora 8 ssh.
As per NSS usual, everything is undocumented, i.e., `ssh-add --help`
does not help at all, and `man ssh-add` points to `ssh-add -s reader`
# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1
So does anyone know how to use the possible functionality, or are we
reduced to reading the source?
After a bit of RTFS, I found README.nss which is installed to
/usr/share/doc/openssh-4.7p1/ in FC8.
Trying to use the info in that document gets me:
# ssh -o 'UseNSS yes' otherhost
Failed to initialize NSS library
Permission denied (publickey,keyboard-interactive).
# ssh-add -n
Failed to initialize NSS library
# ssh-keygen -n
Failed to initialize NSS library
cannot find public key in NSS
no idea what
'NSS Token My PKCS11 Token'
'My PKCS11 Token'
or 'My Key ID' are supposed to be set to (how do I match that up with "use the
cac card" or "my common name is"?).
drop back and punt[1] has been called.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter