[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Oct 16 10:39:43 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Created attachment 3914
--> https://bugzilla.mindrot.org/attachment.cgi?id=3914&action=edit
Link ssh against ssh-pkcs11.o directly
Actually, I think this approach might be better.
ssh-pkcs11-client.c is mostly meant for non-interactive cases. PIN
entry might work if there's a tty around (or ssh-askpass), but it
doesn't have stdin/out attached.
ssh-pkcs11.c, has the same API. I think it makes more sense to use this
directly in ssh and ssh-keygen, which we similarly fixed in 10.2)
We have the -client/-helper system mostly for ssh-agent, where we don't
want a potentially-hostile PKCS11 module added via the agent socket
getting access to ssh-agent's address space, which may contain private
keys.
For ssh this concern doesn't exist, as the PKCS11Provider must be
specified on the commandline or in the config file
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list