[Bug 3006] ssh and ssh-keygen always ask for PIN

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri May 31 18:46:12 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=3006

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
(In reply to Damien Miller from comment #1)
> So I don't understand what is going wrong here - all the login cases
> I can see occur either inside blocks that test CKF_LOGIN_REQUIRED or
> are in the signature path.
> 
> Is CKF_LOGIN_REQUIRED not a sufficient indicator?

This flag is the source of confusion. It does not say the login is
required for all actions, but for *some* cryptographic functions [1]: 

> True if there are some cryptographic functions that a user MUST be logged in to perform

For most of the cards, the login is not needed for listing public keys
and certificates (for example from ssh-keygen or from pubkey
authentication tries without signature).

> Also, wouldn't reverting the patches mentioned in your email undo
> the changes to support readers with integral pinpads?

No, the support for readers with pinpad is in pkcs11_login() (or in
pkcs11_login_slot() after the patch from bug #2430), which either
defers the login to the pinpad or asks pin from user.

The pkcs11_open_session() should really keep its semantics as described
in the comment above it -- if the pin is null, no login should be
performed.

What was the issue in the bug #2652 was the same issue as in bug #2430
-- the public objects are not visible without login, as shown in the
following comment (-l switch in pkcs11-tool is a request to login),
regardkess the pinpad:

https://bugzilla.mindrot.org/show_bug.cgi?id=2652#c11

I hope it is more clear. If not, please ask further.

[1]
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959687

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list