[Bug 2430] New: ssh-keygen should allow to login before reading public key from smart card

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jul 16 18:25:21 AEST 2015


            Bug ID: 2430
           Summary: ssh-keygen should allow to login before reading public
                    key from smart card
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Based on our investigation of Smart Cart usability with openSSH we
found several minor problems that were filled in our red hat bugzilla
[1]. Next is problem again with softHSM. It is hiding by default both
public and private key, until you login to the card. This is not rare
feature and it is useful, because it hides all the data on the card for
unauthorized access.

Most of the pkcs11 tools have ability to do login before doing
operation with card. Openssh does it now only for the operation that
are generally expected to require PIN. Doing so would probably require
another switch for ssh-keygen, which is not much convenient (and there
is not much letters left for keygen).

The other possibility would be to fallback to login, if keygen will not
find any keys without login -- this would be more transparent for
users, but would possibly hide some keys if there would be at least one
readable before login.

I am not yet providing a patch here, since this issue would require
consideration which way to take. It would be great to start discussion
about pros and cons of both solutions or to come up with different

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1241873

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list