search for: ckf_login_requir

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee:

...Login with ssh -I works without any user interaction, but ssh-add -s always asks interactively for the PIN. Investigating this behavior, the following was found. There seem to be two ways for an PKCS#11 token to signalize that no PIN is required through the PKCS#11 library. 1. By not setting the CKF_LOGIN_REQUIRED flag, which indicates that no login must be performed and therefore no pin is necessary. 2. By setting the CKF_PROTECTED_AUTHENTICATION_PATH flag which indicates that the PIN is provided outside of the PKCS#11 library. See the PKCS#11 3.0 standard for the details [1]. Looking into the code of ss...

...ff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c3a112f..b053332 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? " entry on reader keypad" : ""); return (-1); } - snprintf(prom...

On Sat, 2019-04-06 at 03:20 +1100, Damien Miller wrote: > On Fri, 5 Apr 2019, Jakub Jelen wrote: > > > There is also changed semantics of the ssh-keygen when listing keys > > from PKCS#11 modules. In the past, it was not needed to enter a PIN > > for > > this, but now. > > > > At least, it is not consistent with a comment in the function > >

...2.orig/ssh-pkcs11.c openssh-6.2p2/ssh-pkcs11.c --- openssh-6.2p2.orig/ssh-pkcs11.c 2011-09-04 11:59:26.000000000 +0200 +++ openssh-6.2p2/ssh-pkcs11.c 2014-05-06 13:03:15.000000000 +0200 @@ -256,21 +256,29 @@ si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } - snprintf(prompt, siz...

...CS file: /cvs/openssh/ssh-pkcs11.c,v retrieving revision 1.15 diff -u -w -r1.15 ssh-pkcs11.c --- ssh-pkcs11.c 20 Apr 2014 03:21:23 -0000 1.15 +++ ssh-pkcs11.c 12 May 2014 12:34:25 -0000 @@ -255,21 +255,29 @@ si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } + if (si->token....

https://bugzilla.mindrot.org/show_bug.cgi?id=2430 Bug ID: 2430 Summary: ssh-keygen should allow to login before reading public key from smart card Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

Hi, OpenSSH 6.7 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release containing a number of features, a lot of internal refactoring and some potentially-incompatible changes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: