[Bug 3432] New: ssh-add: Skip PKCS11 pin prompt with TEE identity

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat May 14 01:55:35 AEST 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3432

            Bug ID: 3432
           Summary: ssh-add: Skip PKCS11 pin prompt with TEE identity
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: profmaker3 at gmail.com

TEE Identity-based authentication provides functionality to
log in without a pin but using a User or Group identity.
The feature is valuable for embedded devices where there is no
user interaction.

With the TEE Identity authentication, the pin should be empty.

The use case is:
CKTEEC_LOGIN_TYPE=user ssh-add -s /usr/lib/libckteec.so.0

For TEE Identity-based auth pin should be provided as an
empty string. But in the current implementation, if a pin
is empty the message structure will not be populated with
the pin(see sshbuf_put_string). As a result, the error:
"pin required". As a solution add a new line character.

The details about the TEE Identity-based authentication:
OP-TEE/optee_os#4222

The implementation is in the following pull request:
https://github.com/openssh/openssh-portable/pull/318

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list