search for: ckf_protected_authentication_path

...llows for SSH to make use of this; against head/master as of today. Dw. commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a Author: Dirk-Willem van Gulik <dirkx at webweaving.org> Date: Tue Mar 17 13:41:31 2015 +0100 Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c3a112f..b053332 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags &...

...@ -256,21 +256,29 @@ si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ - if ((rv = f->C_...

...-255,21 +255,29 @@ si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { snprintf(prompt, sizeof(prompt), "Enter PI...

...is behavior, the following was found. There seem to be two ways for an PKCS#11 token to signalize that no PIN is required through the PKCS#11 library. 1. By not setting the CKF_LOGIN_REQUIRED flag, which indicates that no login must be performed and therefore no pin is necessary. 2. By setting the CKF_PROTECTED_AUTHENTICATION_PATH flag which indicates that the PIN is provided outside of the PKCS#11 library. See the PKCS#11 3.0 standard for the details [1]. Looking into the code of ssh-add, it was found that with the -s argument, it asks for a PIN regardless of the PKCS#11 flags. In [2] it just checks if the add flag is set,...

The CKF_PROTECTED_AUTHENTICATION_PATH flag (as returned by C_GetTokenInfo) should be used to decide weather to request the PIN via terminal or let the reader fetch the pin from pinpad. https://bugzilla.mindrot.org/show_bug.cgi?id=2185 The patch is attached to the bug report.

Hi Alon, I confirmed with pkcs11-tool (from OpenSC) and I can confirm that pressing return when asked for the pin causes the login to stop (and not to try a empty pin). Can you confirm if a empty pin is actually a valid pin, and if not, can the patch be accepted? Once again, the problem is that from a user experience, *some/most* users would expect they can skip pkcs11 token authentication just

...rity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: dominik at heidler.eu Created attachment 2389 --> https://bugzilla.mindrot.org/attachment.cgi?id=2389&action=edit openssh pinpad support patch The CKF_PROTECTED_AUTHENTICATION_PATH flag (as returned by C_GetTokenInfo) should be used to decide weather to request the PIN via terminal or let the reader fetch the pin from pinpad. -- You are receiving this mail because: You are watching the assignee of the bug.

Hi, OpenSSH 6.7 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release containing a number of features, a lot of internal refactoring and some potentially-incompatible changes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD:

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee: