[Bug 2652] PKCS11 login skipped if login required and no pin set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Feb 27 01:19:43 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #18 from Daniel Kucera <openssh at danman.eu> ---
(In reply to Jakub Jelen from comment #17)
> Sorry, I forgot about the pinpad. For the reader virtual keypad, you
> need to use the patch that I attached to the comment #6 (applied to
> ssh-agent and ssh-pkcs11-provider, which complicates installation).
> 
> It should be still prompting for the pin, but if you just press
> enter, you should get past that and should allow to read the keys,
> if I see right.
> 
> Unfortunately, the ssh-add does not know if there is pinpad at that
> moment so it can not skip this prompt, but needs to send empty
> string in this case.

After applying patch:

it doesn't work with empty string pin:

$ ./ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
Enter passphrase for PKCS#11: 
Could not add card "/usr/lib/eidklient/libpkcs11_sig_x64.so": agent
refused operation

but it does with correct card pin:

$ ./ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
Enter passphrase for PKCS#11: 
Card added: /usr/lib/eidklient/libpkcs11_sig_x64.so

$ ./ssh-add -L
ssh-rsa AAAAB3... /usr/lib/eidklient/libpkcs11_sig_x64.so
ssh-rsa AAAAB3... /usr/lib/eidklient/libpkcs11_sig_x64.so
ssh-rsa AAAAB3... /usr/lib/eidklient/libpkcs11_sig_x64.so

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list