Call for testing: OpenSSH 6.7

Dirk-Willem van Gulik dirkx at webweaving.org
Mon Aug 18 19:27:44 EST 2014


Op 18 aug. 2014, om 03:23 heeft Damien Miller <djm at mindrot.org> het volgende geschreven:

With this fix:

> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>   explicitly listed in ssh_config or on the commandline not to be
>   preferred.

A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could
also apply patch below.

The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory.

Thanks,

Dw.

* Allow for PIN/password entry on the keypad of the chipcard reader.

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c96be3b..83b5f3a 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", 
+				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
-			free(pin);
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+			verbose("Deferring PIN entry to keypad of chipcard reader.");
+			pin = NULL;
+		} else {
+			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+			    si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		};
+		if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) 
+                        != CKR_OK) {
+                        if (pin) free(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
+		if (pin) free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;



More information about the openssh-unix-dev mailing list