[Bug 2430] ssh-keygen should allow to login before reading public key from smart card

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2430

--- Comment #5 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3130
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3130&action=edit
Try to login, if the first attempt does not return any keys

After discussion in bug #2652, we have a real use case as I proposed
over two years ago and therefore we need to figure out how to solve
this problem (in the #2652 complicated by the use of "pinpad" reader
keyboard).

The initial proposal of introducing a new command line option to both
ssh-keygen and ssh seems too intrusive. The ssh-add does NOT need any
modification, because it already does the login while adding a card (it
is the only time when agent has a PIN). It can be simply verified with
the following reproducer with softhsm2:

$ SOPIN="12345678"
$ echo "directories.tokendir = .tokens/" > .softhsm2.conf
$ mkdir ".tokens"
$ export SOFTHSM2_CONF=".softhsm2.conf"
$ PIN="123456"
$ softhsm2-util --init-token --slot 0 --label "SC test"
--so-pin="$SOPIN" --pin="$PIN"
$ P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
$ pkcs11-tool --keypairgen --key-type=RSA:2048 --login --pin=$PIN
--module="$P11LIB" --label="test" --id=01 --private
$ pkcs11-tool -O --module=$P11LIB
<<< does not list any objects
$ pkcs11-tool -O --module=$P11LIB --pin=$PIN
<<< lists objects
$ eval `ssh-agent`
$ ssh-add -s /usr/lib64/pkcs11/libsofthsm2.so
$ ssh-add -l
<<< lists the added keys


What needs to be fixed are the ssh and ssh-keygen. As we see, the most
common configurations are cards which have either all the public
objects visible or none of them. The simplest solution that might be
needed for the applications is to try to login, if a card returns zero
keys without it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.