Douglas E Engert deengert at
Thu Jul 28 00:26:00 AEST 2016

On 7/25/2016 1:56 AM, Nuno Gonçalves wrote:
> Hi Alon,
> I confirmed with pkcs11-tool (from OpenSC) and I can confirm that
> pressing return when asked for the pin causes the login to stop (and
> not to try a empty pin).
> Can you confirm if a empty pin is actually a valid pin, and if not,
> can the patch be accepted?

By Empty pin do you mean  pPin != NULL && ulPinLen = 0 or do you mean pPin == NULL?

If the card supports CKF_PROTECTED_AUTHENTICATION_PATH (may have a pin pad reader) , the a call to C_Login with pPin = NULL wil use the pin pad reader.

Without CKF_PROTECTED_AUTHENTICATION_PATH I would find it strange if a card would allow a zero length pin. If no pin is needed a C_Login would not be required either the CKS_RO_PUBLIC_SESSION would 
work and the key one wants to use does not require PIN protection. (Does SSH check if the key requires the PIN?)

What return code does C_Login return if you try and use an "empty pin"?

> Once again, the problem is that from a user experience, *some/most*
> users would expect they can skip pkcs11 token authentication just by
> pressing return and trying then other authentication method, like
> password.
> But currently that is not what happens, and users can find out too
> late that they have instead tried a wrong pin too many times and
> locked their token...
> Regards,
> Nuno
> On Fri, Jun 17, 2016 at 10:04 PM, Alon Bar-Lev <alon.barlev at> wrote:
>> On 17 June 2016 at 22:45, Nuno Gonçalves <nunojpg at> wrote:
>>> On Fri, Jun 17, 2016 at 7:57 PM, Alon Bar-Lev <alon.barlev at> wrote:
>>>> On 17 June 2016 at 20:58, Nuno Gonçalves <nunojpg at> wrote:
>>>>> Hi,
>>>>> It seems there is a bug with the pkcs11 feature where a zero-length
>>>>> PIN is accepted. I believe this is a bug, since the user might want to
>>>>> press return when asked for the PIN to ignore that slot/key.
>>>> Hi,
>>>> Empty PIN is valid case, not sure why you want to avoid supporting it.
>>>> Alon
>>> I didn't know it was valid but the reasoning still applies. I don't
>>> really know the standard use cases, but I think it could eventually be
>>> useful for the user, when asked for the PIN, to decide not enter it.
>>> Currently it can only be done by killing ssh. If empty PIN is valid,
>>> but eventually not usual, maybe we should ask if the user really wants
>>> to try a empty pin or just continue to another authentication option?
>> Not sure what best solution, but ignoring empty PIN is the same as
>> ignoring "cancel" or similar constants, which is more explicit.
>> What's wrong with plain <Ctrl>-C, as without PIN there is no use to
>> continue session anyway.
>>> Regarding the CKF_USER_PIN flags, do you think it is a good idea to
>>> implement the warning messages?
>> Most implementations do not support these.
>> Regards,
>> Alon
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>

More information about the openssh-unix-dev mailing list