[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Nov 17 09:18:26 AEDT 2016
On 11/16/16, 2:11 PM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote:
The patch does not change any existing functionality. It only adds a
mechanism that allows users to force providing a pin code even if one
is not asked by default. Nothing happens if the users do not trigger
the mechanism and I am not sure why anything would break even if they
did provide a pin code.
OK, that makes things better.
> Yes, very valid concern and approach. As I said, *my* concern is avoiding
> the need to provide a PIN for non-private keys and certs.
If the pin is not provided using our mechanism, then it is NULL and
C_Login is not called, just as without our patch. So no change there
to existing behavior.
The mechanism might require some more thinking. But based on the above, I (reluctantly – I still don’t like it) withdraw my objection.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161116/407fd458/attachment.bin>
More information about the openssh-unix-dev
mailing list