[Bug 1512] New: Only a single smartcard/PIN is supported by the ssh-agent
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 22 02:26:27 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1512
Summary: Only a single smartcard/PIN is supported by the
ssh-agent
Product: Portable OpenSSH
Version: 5.1p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Smartcard
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
Many smartcards are capable of storing multiple PINs and multiple RSA
keys. Some users may also have more than one smartcard in active use
at a given time (though this seems less likely than 2 or more IDs on a
card).
The current smartcard implementation appears to be capable of dealing
with only a single PIN on a single card. While this makes sense for a
single instance of ssh, a long-running ssh-agent connection might
reasonably want to deal with multiple identities or multiple cards.
Also problematic with the agent is that it doesn't associate any given
identity with any particular card or reader. So if a second card or
reader is inserted in the local host (even if it's not used by the
agent), there's a potential for dangerous things like sending the
cached PIN to the wrong card.
I'm afraid i don't have a fix for this behavior at the moment, but i
wanted to raise the issue and create a place for discussion about it.
I think that the right thing would be to adjust the agent (if compiled
with smartcard support) to associate each hardware-based identity with
a specific card and a specific PIN.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list