[Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Aug 17 00:21:31 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1506
Summary: rationalize agent behavior on smartcard
removal/reattachment
Product: Portable OpenSSH
Version: 5.1p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Smartcard
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
Created an attachment (id=1559)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1559)
patch to retry smartcard if detached reader/card is detected.
Currently, if you use an OpenSC-supported smartcard with your
ssh-agent, the passphrase is cached while the smartcard is in use (up
until the expiry indicated by the user during ssh-add).
In this situation, if the user removes and re-inserts the
smartcard/reader, the next authentication attempt using the token on
the card will fail because the card had been detached.
However, the *subsequent* attempt to use the card will succeed again,
because the passphrase is still cached, and the agent simply needs to
re-initialize the reader.
This seems like misbehavior to me. Either one of the following
scenarios would make more sense:
0) If the agent notices that the card or reader is missing or had been
detached, it could invalidate the cached information and remove it from
the list of keys, requiring the user to re-add the device to the agent.
or
1) If the agent notices that the card or reader is missing or had been
detached, it could simply scan for the card again, re-initialize it,
and use it again.
Simply put, i can see no reason for the first attempt to use the
detached/reattached device to fail while previous and subsequent
attempts succeed.
I'm attaching a patch that implements resolution (1) above (the agent
notices detachment, and tries a single extra time to re-initialize the
device), though i could see the argument for (0) as well.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list