[Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Aug 17 00:21:31 EST 2008


           Summary: rationalize agent behavior on smartcard
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Smartcard
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dkg at fifthhorseman.net

Created an attachment (id=1559)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1559)
patch to retry smartcard if detached reader/card is detected.

Currently, if you use an OpenSC-supported smartcard with your
ssh-agent, the passphrase is cached while the smartcard is in use (up
until the expiry indicated by the user during ssh-add).

In this situation, if the user removes and re-inserts the
smartcard/reader, the next authentication attempt using the token on
the card will fail because the card had been detached.

However, the *subsequent* attempt to use the card will succeed again,
because the passphrase is still cached, and the agent simply needs to
re-initialize the reader.

This seems like misbehavior to me.  Either one of the following
scenarios would make more sense:

0) If the agent notices that the card or reader is missing or had been
detached, it could invalidate the cached information and remove it from
the list of keys, requiring the user to re-add the device to the agent.


1) If the agent notices that the card or reader is missing or had been
detached, it could simply scan for the card again, re-initialize it,
and use it again.

Simply put, i can see no reason for the first attempt to use the
detached/reattached device to fail while previous and subsequent
attempts succeed.

I'm attaching a patch that implements resolution (1) above (the agent
notices detachment, and tries a single extra time to re-initialize the
device), though i could see the argument for (0) as well.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list