bugzilla-daemon at bugzilla.mindrot.org
2008-Aug-21 16:26 UTC
[Bug 1512] New: Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512
Summary: Only a single smartcard/PIN is supported by the
ssh-agent
Product: Portable OpenSSH
Version: 5.1p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Smartcard
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
Many smartcards are capable of storing multiple PINs and multiple RSA
keys. Some users may also have more than one smartcard in active use
at a given time (though this seems less likely than 2 or more IDs on a
card).
The current smartcard implementation appears to be capable of dealing
with only a single PIN on a single card. While this makes sense for a
single instance of ssh, a long-running ssh-agent connection might
reasonably want to deal with multiple identities or multiple cards.
Also problematic with the agent is that it doesn't associate any given
identity with any particular card or reader. So if a second card or
reader is inserted in the local host (even if it's not used by the
agent), there's a potential for dangerous things like sending the
cached PIN to the wrong card.
I'm afraid i don't have a fix for this behavior at the moment, but i
wanted to raise the issue and create a place for discussion about it.
I think that the right thing would be to adjust the agent (if compiled
with smartcard support) to associate each hardware-based identity with
a specific card and a specific PIN.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-23 01:35 UTC
[Bug 1512] Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Damien Miller <djm at mindrot.org> 2010-04-23 11:35:51
EST ---
The new PKCS#11 code supports multiple providers and multiple keys for
each (AFAIK) so I think this is done.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24 01:33 UTC
[Bug 1512] Only a single smartcard/PIN is supported by the ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=1512
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:39
EST ---
Move resolved bugs to CLOSED after 5.7 release
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- [Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates
- [patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
- Supporting smartcard readers with PIN entry keypads
- [patch] Supporting smartcard readers with PIN entry keypads (updated against -HEAD)