bugzilla-daemon at bugzilla.mindrot.org
2008-Aug-21 16:26 UTC
[Bug 1512] New: Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512 Summary: Only a single smartcard/PIN is supported by the ssh-agent Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Smartcard AssignedTo: unassigned-bugs at mindrot.org ReportedBy: dkg at fifthhorseman.net Many smartcards are capable of storing multiple PINs and multiple RSA keys. Some users may also have more than one smartcard in active use at a given time (though this seems less likely than 2 or more IDs on a card). The current smartcard implementation appears to be capable of dealing with only a single PIN on a single card. While this makes sense for a single instance of ssh, a long-running ssh-agent connection might reasonably want to deal with multiple identities or multiple cards. Also problematic with the agent is that it doesn't associate any given identity with any particular card or reader. So if a second card or reader is inserted in the local host (even if it's not used by the agent), there's a potential for dangerous things like sending the cached PIN to the wrong card. I'm afraid i don't have a fix for this behavior at the moment, but i wanted to raise the issue and create a place for discussion about it. I think that the right thing would be to adjust the agent (if compiled with smartcard support) to associate each hardware-based identity with a specific card and a specific PIN. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-23 01:35 UTC
[Bug 1512] Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Damien Miller <djm at mindrot.org> 2010-04-23 11:35:51 EST --- The new PKCS#11 code supports multiple providers and multiple keys for each (AFAIK) so I think this is done. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24 01:33 UTC
[Bug 1512] Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:39 EST --- Move resolved bugs to CLOSED after 5.7 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- [Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates
- [patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
- Supporting smartcard readers with PIN entry keypads
- [patch] Supporting smartcard readers with PIN entry keypads (updated against -HEAD)