Bugzilla – Attachment 3130 Details for
Bug 2430
ssh-keygen should allow to login before reading public key from smart card
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Try to login, if the first attempt does not return any keys
openssh_private.patch (text/plain), 3.21 KB, created by
Jakub Jelen
on 2018-02-27 03:28:36 AEDT
(
hide
)
Description:
Try to login, if the first attempt does not return any keys
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2018-02-27 03:28:36 AEDT
Size:
3.21 KB
patch
obsolete
>commit f6470692700506f78349fcb08ba036ebb310ab8d >Author: Jakub Jelen <jjelen@redhat.com> >Date: Mon Feb 26 15:38:48 2018 +0100 > > Try to login, if there are no keys returned without it > >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 3977393c..7eb0bac2 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -216,6 +216,40 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, > return (ret); > } > >+int >+pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si, >+ int login_type) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ char *pin = NULL, prompt[1024]; >+ >+ f = p->function_list; >+ >+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >+ verbose("Deferring PIN entry to reader keypad."); >+ else { >+ snprintf(prompt, sizeof(prompt), >+ "Enter PIN for '%s': ", si->token.label); >+ pin = read_passphrase(prompt, RP_ALLOW_EOF); >+ if (pin == NULL) >+ return (-1); /* bail out */ >+ } >+ rv = f->C_Login(si->session, login_type, (u_char *)pin, >+ (pin != NULL) ? strlen(pin) : 0); >+ >+ if (pin != NULL) { >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ } >+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >+ error("C_Login failed: %lu", rv); >+ return (-1); >+ } >+ /* authentication successful */ >+ return (0); >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >@@ -237,7 +271,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > {CKA_ID, NULL, 0}, > {CKA_SIGN, NULL, sizeof(true_val) } > }; >- char *pin = NULL, prompt[1024]; > int rval = -1; > > key_filter[0].pValue = &private_key_class; >@@ -260,25 +293,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > " on reader keypad" : ""); > return (-1); > } >- if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >- verbose("Deferring PIN entry to reader keypad."); >- else { >- snprintf(prompt, sizeof(prompt), >- "Enter PIN for '%s': ", si->token.label); >- pin = read_passphrase(prompt, RP_ALLOW_EOF); >- if (pin == NULL) >- return (-1); /* bail out */ >- } >- rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >- (pin != NULL) ? strlen(pin) : 0); >- if (pin != NULL) { >- explicit_bzero(pin, strlen(pin)); >- free(pin); >- } >- if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >- error("C_Login failed: %lu", rv); >+ if (pkcs11_login(k11->provider, si, CKU_USER) < 0) > return (-1); >- } > si->logged_in = 1; > } > key_filter[1].pValue = k11->keyid; >@@ -689,8 +705,15 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) > token->label, token->manufacturerID, token->model, > token->serialNumber, token->flags); > /* open session, login with pin and retrieve public keys */ >- if (pkcs11_open_session(p, i, pin) == 0) >+ if (pkcs11_open_session(p, i, pin) == 0) { > pkcs11_fetch_keys(p, i, keyp, &nkeys); >+ /* if we don't get any keys try to prompt for PIN */ >+ if (nkeys == 0 && pin == NULL && >+ pkcs11_login(p, &p->slotinfo[i], CKU_USER) == 0) { >+ pkcs11_fetch_keys(p, i, keyp, &nkeys); >+ p->slotinfo[i].logged_in = 1; >+ } >+ } > } > if (nkeys > 0) { > TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2430
: 3130 |
3133
|
3279