Supporting smartcard readers with PIN entry keypads

Dirk-Willem van Gulik dirkx at webweaving.org
Tue May 6 21:15:02 EST 2014 

Folks,

Find below a minor patch to allow the use of smartcards in readers that have their own
PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical
chipcard devices.

Tested on Solaris, FreeBSD and MacOSX against various cards and drivers.

I’ve left the pkcs11_interactive check in place. Arguably - with some Secure PIN readers
it may be better to move this just in front of the keyboard entry ONLY; as there are some
secure PIN keypads that use means which are somewhat suitable to unattended 
operation. But I thought it better to let this wait until an actual use case warrants this
and/or the need for a special flag/argument to control such.

Thanks,

Dw.


diff -ur openssh-6.2p2.orig/ssh-pkcs11.c openssh-6.2p2/ssh-pkcs11.c
--- openssh-6.2p2.orig/ssh-pkcs11.c	2011-09-04 11:59:26.000000000 +0200
+++ openssh-6.2p2/ssh-pkcs11.c	2014-05-06 13:03:15.000000000 +0200
@@ -256,21 +256,29 @@
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", 
+				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin)))
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+			verbose("Deferring PIN entry to keypad of chipcard reader.");
+			pin = NULL;
+		} else {
+			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+			    si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		};
+		if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0))
 		    != CKR_OK) {
-			xfree(pin);
+			if (pin)
+				xfree(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
-		}
-		xfree(pin);
+			}
+		if (pin) 
+			xfree(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;
Only in openssh-6.2p2: ssh-pkcs11.o

More information about the openssh-unix-dev mailing list