[PATCH] Readable return codes for pkcs11 identities

Jacob Hoffman-Andrews jsha at letsencrypt.org
Thu Feb 27 13:20:15 AEDT 2020

Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:

$ ssh -I /path/to/module user at example.com
Enter PIN for 'SSH key':
C_Login failed: 160

I'd prefer to receive a more useful message:

Login to PKCS#11 token failed: Incorrect PIN

I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too short, and PIN locked.
I've also tweaked the fallback error case to indicate that it is a
PKCS#11-specific error. Hope this is useful!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Provide-more-user-friendly-output-on-C_Login-errors.patch
Type: text/x-patch
Size: 1304 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200226/379da696/attachment.bin>

More information about the openssh-unix-dev mailing list