[Bug 1506] rationalize agent behavior on smartcard removal/reattachment
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 22 01:46:27 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1506
--- Comment #4 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 2008-08-22 01:46:24 ---
Hrm. It looks like when the keys are stored in the agent, they're not
associated with any particular smartcard or reader, i think they're
just marked by Identity.key.flags |= KEY_FLAG_EXT. Is that right?
It also looks like only a single smartcard PIN can be cached by the
agent at once. So a user alternating between two smartcards (or using
two different keys with different PINs on a single smartcard, which is
possible at least on the cryptoFlex eGate) won't be able to use them
properly with a single agent. This is probably a different bug that i
should file separately.
Also, the code for removing identities from the agent is all statically
declared within ssh-agent.c, so it won't be accessible from within
scard-opensc.c.
In light of all this, the best solution to me seems to be to invalidate
*all* hardware-stored keys as soon as any one of them reports a
failure. This should be able to work in conjunction with the above
patch, because the above patch will avoid an error in the common case.
Does this sound right?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list