[Bug 3432] New: ssh-add: Skip PKCS11 pin prompt with TEE identity
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat May 14 01:55:35 AEST 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3432
Bug ID: 3432
Summary: ssh-add: Skip PKCS11 pin prompt with TEE identity
Product: Portable OpenSSH
Version: v9.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-add
Assignee: unassigned-bugs at mindrot.org
Reporter: profmaker3 at gmail.com
TEE Identity-based authentication provides functionality to
log in without a pin but using a User or Group identity.
The feature is valuable for embedded devices where there is no
user interaction.
With the TEE Identity authentication, the pin should be empty.
The use case is:
CKTEEC_LOGIN_TYPE=user ssh-add -s /usr/lib/libckteec.so.0
For TEE Identity-based auth pin should be provided as an
empty string. But in the current implementation, if a pin
is empty the message structure will not be populated with
the pin(see sshbuf_put_string). As a result, the error:
"pin required". As a solution add a new line character.
The details about the TEE Identity-based authentication:
OP-TEE/optee_os#4222
The implementation is in the following pull request:
https://github.com/openssh/openssh-portable/pull/318
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list