Patch for pinpad ssh-agent

Elmer Joandi elmer at fcst24.com
Sat Jan 2 05:01:04 AEDT 2021


Hi,
I am using Pinpad with ssh-agent with Estonian ID card.
For past decade I have had to patch it in quite strange ways to work and be 
able to forward agent. Used up my old and active ID-cards.
Now it seems like almost done, but some small patch still for 8.4, to be able 
to do:  "ssh-add -s /usr/lib64/onepin-opensc-pkcs11.so"
Seems that P11 now also does not accept empty pin on pinpad, but accepts NULL 
pin. Strange what it would do with previous versions.

--- openssh-8.4p1/ssh-pkcs11.c	2021-01-01 21:27:04.603031751 +0200
+++ openssh-8.4p1.padlogin/ssh-pkcs11.c	2021-01-01 21:23:38.501031101 +0200
@@ -804,14 +804,21 @@
  	 CK_RV			rv;
  	 CK_SESSION_HANDLE	session;
  	 int			login_required, ret;
-
+	int			pinpad=0;
+	int 			pinLen=(pin==NULL)?0:strlen(pin);
  	 f = p->module->function_list;
  	 si = &p->module->slotinfo[slotidx];

-	login_required = si->token.flags & CKF_LOGIN_REQUIRED;
+	pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH ;
+	login_required = (si->token.flags & CKF_LOGIN_REQUIRED);

+	if (pinpad && pin !=NULL){
+		error("Pinpad pin set to zero");
+		pin=NULL;
+		pinLen=0;
+	}
  	 /* fail early before opening session */
-	if (login_required && !pkcs11_interactive &&
+	if (login_required && !pkcs11_interactive && !pinpad &&
  	     (pin == NULL || strlen(pin) == 0)) {
  		 error("pin required");
  		 return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@@ -821,8 +828,8 @@
  		 error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
  		 return (-1);
  	}
-	if (login_required && pin != NULL && strlen(pin) != 0) {
-		rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
+	if (login_required ) {
+		rv = f->C_Login(session, user, (u_char *)pin, pinLen);
  		 if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
  			 error("C_Login failed: %lu", rv);
  			 ret = (rv == CKR_PIN_LOCKED) ?


It would be interesting to be able to use remotely also the signing function 
via ssh, to sign from home at server for administrative purposes.



More information about the openssh-unix-dev mailing list