Patch for pinpad ssh-agent
Elmer Joandi
elmer at fcst24.com
Sat Jan 2 05:01:04 AEDT 2021
Hi,
I am using Pinpad with ssh-agent with Estonian ID card.
For past decade I have had to patch it in quite strange ways to work and be
able to forward agent. Used up my old and active ID-cards.
Now it seems like almost done, but some small patch still for 8.4, to be able
to do: "ssh-add -s /usr/lib64/onepin-opensc-pkcs11.so"
Seems that P11 now also does not accept empty pin on pinpad, but accepts NULL
pin. Strange what it would do with previous versions.
--- openssh-8.4p1/ssh-pkcs11.c 2021-01-01 21:27:04.603031751 +0200
+++ openssh-8.4p1.padlogin/ssh-pkcs11.c 2021-01-01 21:23:38.501031101 +0200
@@ -804,14 +804,21 @@
CK_RV rv;
CK_SESSION_HANDLE session;
int login_required, ret;
-
+ int pinpad=0;
+ int pinLen=(pin==NULL)?0:strlen(pin);
f = p->module->function_list;
si = &p->module->slotinfo[slotidx];
- login_required = si->token.flags & CKF_LOGIN_REQUIRED;
+ pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH ;
+ login_required = (si->token.flags & CKF_LOGIN_REQUIRED);
+ if (pinpad && pin !=NULL){
+ error("Pinpad pin set to zero");
+ pin=NULL;
+ pinLen=0;
+ }
/* fail early before opening session */
- if (login_required && !pkcs11_interactive &&
+ if (login_required && !pkcs11_interactive && !pinpad &&
(pin == NULL || strlen(pin) == 0)) {
error("pin required");
return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@@ -821,8 +828,8 @@
error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
return (-1);
}
- if (login_required && pin != NULL && strlen(pin) != 0) {
- rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
+ if (login_required ) {
+ rv = f->C_Login(session, user, (u_char *)pin, pinLen);
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
error("C_Login failed: %lu", rv);
ret = (rv == CKR_PIN_LOCKED) ?
It would be interesting to be able to use remotely also the signing function
via ssh, to sign from home at server for administrative purposes.
More information about the openssh-unix-dev
mailing list