Bug 3130

Summary:

[PATCH] Readable return codes for pkcs11 identities

Product:

Portable OpenSSH

Reporter:

Jacob Hoffman-Andrews <mindrot>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm

Priority:

Version:

8.2p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

3117

Attachments:

Description	Flags
Patch to provide readable return codes for pkcs11 identities	none

Description Jacob Hoffman-Andrews 2020-03-06 04:46:20 AEDT

Created attachment 3360 [details]
Patch to provide readable return codes for pkcs11 identities

Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:

$ ssh -I /path/to/module user@example.com
Enter PIN for 'SSH key':
C_Login failed: 160

I'd prefer to receive a more useful message:

Login to PKCS#11 token failed: Incorrect PIN

I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too short, and PIN locked.
I've also tweaked the fallback error case to indicate that it is a
PKCS#11-specific error. Hope this is useful!

Comment 1 Damien Miller 2020-03-13 15:16:33 AEDT

Thanks - I've committed a slightly tweaked version of your patch. It will be in OpenSSH 8.3

Comment 2 Damien Miller 2021-04-23 15:01:26 AEST

closing resolved bugs as of 8.6p1 release