[Bug 2652] PKCS11 login skipped if login required and no pin set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Feb 24 02:07:47 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #14 from Jakub Jelen <jjelen at redhat.com> ---
(In reply to Daniel Kucera from comment #13)
> (In reply to Jakub Jelen from comment #12)
> > Prompting for the PIN for public key operations is nothing we would
> > like to do automatically, so there really should be some switch to
> > do the login before listing the keys or the login should be proposed
> > explicitly by for example a PIN in PKCS#11 URI.
> 
> I see two reasonable options here: either to check return of all
> functions for CKR_USER_NOT_LOGGED_IN return code and retry them
> after login

If you do not see any objects on the card before login, you will not
get any such error so this will not resolve your problem in any way.

> or login always when CKF_LOGIN_REQUIRED is set.

That is not sane default behavior. With most of the cards, certificates
and public keys are visible without login. For the few others, there
should be configuration option to handle this case as I initially
proposed in the referenced bug.

> Moreover, not every time when you call login with NULL pin you are
> required to put it in. In my case the library ask for it only time
> to time (you can see my usecase here:
> https://blog.danman.eu/ssh-autentifikacia-s-eid-obcianskym-preukazom-
> pod-linuxom/ ) probably because it keeps the session with card open.

>From the log, it looks like CardOS V5.0 card, which should work also
with the latest OpenSC.

The PKCS#11 module you are using is probably somehow holding the login
state of your card and presents you its own PIN pad in GUI. That is
certainly not a standard behavior of PKCS#11 modules nor cards.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list