Jacob Hoffman-Andrews
2020-Feb-27 02:20 UTC
[PATCH] Readable return codes for pkcs11 identities
Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message: $ ssh -I /path/to/module user at example.com Enter PIN for 'SSH key': C_Login failed: 160 I'd prefer to receive a more useful message: Login to PKCS#11 token failed: Incorrect PIN I've attached a patch that adds specific handling for three common error cases: Incorrect PIN, PIN too long or too short, and PIN locked. I've also tweaked the fallback error case to indicate that it is a PKCS#11-specific error. Hope this is useful! -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Provide-more-user-friendly-output-on-C_Login-errors.patch Type: text/x-patch Size: 1304 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200226/379da696/attachment.bin>
On Wed, 2020-02-26 at 18:20 -0800, Jacob Hoffman-Andrews wrote:> Right now, if I typo my PIN for a PKCS#11 token, I get the > inscrutable message: > > $ ssh -I /path/to/module user at example.com > Enter PIN for 'SSH key': > C_Login failed: 160 > > I'd prefer to receive a more useful message: > > Login to PKCS#11 token failed: Incorrect PIN > > I've attached a patch that adds specific handling for three common > error cases: Incorrect PIN, PIN too long or too short, and PIN > locked. > I've also tweaked the fallback error case to indicate that it is a > PKCS#11-specific error. Hope this is useful!Please, open a new bug with the patch so it will not get lost in the mailing list. This is certainly something useful to have. Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Jacob Hoffman-Andrews
2020-Mar-05 17:46 UTC
[PATCH] Readable return codes for pkcs11 identities
Done, thanks. https://bugzilla.mindrot.org/show_bug.cgi?id=3130 On Thu, Mar 5, 2020 at 7:32 AM Jakub Jelen <jjelen at redhat.com> wrote:> > On Wed, 2020-02-26 at 18:20 -0800, Jacob Hoffman-Andrews wrote: > > Right now, if I typo my PIN for a PKCS#11 token, I get the > > inscrutable message: > > > > $ ssh -I /path/to/module user at example.com > > Enter PIN for 'SSH key': > > C_Login failed: 160 > > > > I'd prefer to receive a more useful message: > > > > Login to PKCS#11 token failed: Incorrect PIN > > > > I've attached a patch that adds specific handling for three common > > error cases: Incorrect PIN, PIN too long or too short, and PIN > > locked. > > I've also tweaked the fallback error case to indicate that it is a > > PKCS#11-specific error. Hope this is useful! > > Please, open a new bug with the patch so it will not get lost in the > mailing list. This is certainly something useful to have. > > Regards, > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. >
Reasonably Related Threads
- Outstanding PKCS#11 issues
- Call for testing: OpenSSH 8.0
- [Bug 2652] New: PKCS11 login skipped if login required and no pin set
- [patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
- [Bug 2638] New: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects