Nuno Gonçalves nunojpg at
Sat Jun 18 03:58:40 AEST 2016


It seems there is a bug with the pkcs11 feature where a zero-length
PIN is accepted. I believe this is a bug, since the user might want to
press return when asked for the PIN to ignore that slot/key.

This is caused at pkcs11_rsa_private_encrypt:

snprintf(prompt, sizeof(prompt),
   "Enter PIN for '%s': ", si->token.label);
pin = read_passphrase(prompt, RP_ALLOW_EOF);
if (pin == NULL)
return (-1); /* bail out */

Actually a zero-length PIN will not cause a NULL to be returned, so it
will still try to authenticate and fail the PIN login!

Also, I think it would be great to support the CKF_* flags to provide
some feedback to the user regarding PIN tries left remaining,
something like this:

if (info.flags & CKF_USER_PIN_COUNT_LOW)
   printf("WARNING: User PIN count low\n");
else if (info.flags & CKF_USER_PIN_FINAL_TRY)
   printf("WARNING: User PIN final try\n");
else if (info.flags & CKF_USER_PIN_LOCKED) /* Maybe we should bail out
here, or just try to continue? */
   printf("WARNING: User PIN reported locked\n");


More information about the openssh-unix-dev mailing list