[Bug 2652] PKCS11 login skipped if login required and no pin set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Feb 23 07:37:24 AEDT 2018


--- Comment #11 from Daniel Kucera <openssh at danman.eu> ---
(In reply to Jakub Jelen from comment #10)
> Thank you for testing the patch. But your changes again change the
> semantics and issue the pinpad login even if the PIN is NULL, which
> is not what you generally want.

But if CKF_LOGIN_REQUIRED is set why would one want to skip login?

> Or is your card requiring the login also for the listing of public
> keys? What do you get if you try to list the public objects from
> pkcs11-tool?
> pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so

My card requires login for absolutely everything

$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -O
Using slot 0 with a present token (0x1)
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l
Using slot 0 with a present token (0x1)
Private Key Object; RSA 
  label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID:         ...
  Usage:      decrypt, sign
  Access:     always authenticate
Certificate Object; type = X.509 cert
  label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID:         ...

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list