Jan Pechanec's weblog

I've been working for the past few weeks on a project that should provide X.509 support for server authentication and user public key authentication to SunSSH. At present, I've finished the design document and I also have a prototype version that doesn't have all the requested functionality but works well enough to confirm that it can be implemented according to the current design.[Read More]

We have been hearing complains that SSH is slow on Niagara boxes. I can't say anything else but to confirm it. However, there is a background story and a way to speed it up significantly.[Read More]

A few days ago I was giving an internal presentation here in Prague on new features that were recently integrated into SunSSH. There were quite a few resyncs with OpenSSH, a couple of new options based on ideas that materialized here or ideas of our customers, and also outlined there are some plans for the future.

I put the slides on SunSSH page at OpenSolaris.Org. If you are interested in what's going on around SunSSH, you can read the presentation slides here.

I've updated the recent patch because I was exporting some private attributes from the key store into the RSA structure; and that wasn't needed of course. Now only public attributes are exported and everything else performed in the token.[Read More]

We have received a couple of questions about whether our pkcs#11 engine can reference RSA keys using the label that is associated with the key in the key store. That way we could look up the key by the label and let all the crypto work be done without ever exporting the private key out of the token. [Read More]

Since the last update we found a couple of bugs in the engine.[Read More]

Have you ever wondered how the scp and rcp commands worked? The first time I did I haven't found any documentation on the subject. There is no RFC, no draft, not even README file describing it. After reading the source code I tried again and realized that old version of rcp.c might be really the only original documentation available. And since I worked on a couple of bugs in our scp(1) some time ago I put a note in my todo list to write something about it, for the next time I'm going to need it. [Read More]

There's been some questions recently on how to configure Solaris Secure Shell with Kerberos authentication. There were also some complains that the existing documentation was not sufficient. Well, the reason is that SSH works with Kerberos out of box through gssapi-keyex authentication method, no configuration is needed on SSH side. It is the first auth method used on client side and SSH server supports it be default. So, the only thing that remains is to configure the Kerberos. The setup has just 3 steps including the testing. [Read More]