[PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Nov 17 09:18:26 AEDT 2016

On 11/16/16, 2:11 PM, "openssh-unix-dev on behalf of Juha-Matti Tapio" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of jmtapio at ssh.com> wrote:
    The patch does not change any existing functionality. It only adds a
    mechanism that allows users to force providing a pin code even if one
    is not asked by default. Nothing happens if the users do not trigger
    the mechanism and I am not sure why anything would break even if they
    did provide a pin code.

OK, that makes things better.

      > Yes, very valid concern and approach. As I said, *my* concern is avoiding
      > the need to provide a PIN for non-private keys and certs.
    If the pin is not provided using our mechanism, then it is NULL and
    C_Login is not called, just as without our patch. So no change there
    to existing behavior.

The mechanism might require some more thinking. But based on the above, I (reluctantly – I still don’t like it) withdraw my objection. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161116/407fd458/attachment.bin>

More information about the openssh-unix-dev mailing list