[Bug 2430] New: ssh-keygen should allow to login before reading public key from smart card
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jul 16 18:25:21 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2430
Bug ID: 2430
Summary: ssh-keygen should allow to login before reading public
key from smart card
Product: Portable OpenSSH
Version: 6.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Based on our investigation of Smart Cart usability with openSSH we
found several minor problems that were filled in our red hat bugzilla
[1]. Next is problem again with softHSM. It is hiding by default both
public and private key, until you login to the card. This is not rare
feature and it is useful, because it hides all the data on the card for
unauthorized access.
Most of the pkcs11 tools have ability to do login before doing
operation with card. Openssh does it now only for the operation that
are generally expected to require PIN. Doing so would probably require
another switch for ssh-keygen, which is not much convenient (and there
is not much letters left for keygen).
The other possibility would be to fallback to login, if keygen will not
find any keys without login -- this would be more transparent for
users, but would possibly hide some keys if there would be at least one
readable before login.
I am not yet providing a patch here, since this issue would require
consideration which way to take. It would be great to start discussion
about pros and cons of both solutions or to come up with different
solution.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1241873
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list