[Bug 2974] New: PKCS11Provider should support "none"

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

            Bug ID: 2974
           Summary: PKCS11Provider should support "none"
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imorgan at nas.nasa.gov

Currently, there is no way for users to disable use of PKCS11Provider
if
it is set in the system-wide configuration file. This can create
problems when attempting to connect to a system that does not trust the
keys from the smartcard and the card offers too many keys. Adding
support for PKCS11Provider=none would alleviate this issue.
The problem scenario is as follows:

        1) Unconditional use of PKCS11Provider is enabled in the
          system-wide ssh_config file.
        2) A smartcard with multiple keys is left in the reader.
        3) A user attempts to ssh to a system that does not trust any
of
          the keys provided by the smartcard.

Under these circumstances, the ssh attempt may fail due to too many
authentication failures.

A similar problem can occur when a user leaves the smartcard in the
reader and cronjobs running as a differnt user (such as root) attemtp
to
use ssh to transfer files etc.

Supporting setting PKCS11Provider to "none" would provide a simple way
to avoid these problems. An alternative approach would be to provide
some means to specify the slot to use from the smartcard, and thus
reduce the number of keys offered.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.