Bugzilla – Attachment 3327 Details for
Bug 3006
ssh and ssh-keygen always ask for PIN
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
file_3006.txt (text/plain), 2.64 KB, created by
Jakub Jelen
on 2019-09-11 22:21:17 AEST
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2019-09-11 22:21:17 AEST
Size:
2.64 KB
patch
obsolete
>commit 6f2f4aa083e128c8c645a1bc3c5142dce86229a3 >Author: Jakub Jelen <jjelen@redhat.com> >Date: Fri May 10 14:11:29 2019 +0200 > > ssh-pkcs11: Allow listing public objects without login > > Previously, the commits 7a7fdca and 41923ce introduced forced > login for adding every pkcs11 provider, which is invinient at least > in the following use cases: > > * ssh-keygen listing public keys > * using pkcs11provider from configuration file without knowing > whether the server will accept our public key test > > In both of these cases, ssh should try to read publicly readable > objects in PKCS#11 and retry if nothing was returned (already handled > by 7d6034b). > > Resolves: #3006 > >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index d4053ea8..9366c267 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, > CK_FUNCTION_LIST *f; > CK_RV rv; > CK_SESSION_HANDLE session; >- int login_required, have_pinpad, ret; >- char prompt[1024], *xpin = NULL; >+ int login_required, ret; > > f = p->function_list; > si = &p->slotinfo[slotidx]; > >- have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH; > login_required = si->token.flags & CKF_LOGIN_REQUIRED; > > /* fail early before opening session */ >- if (login_required && !have_pinpad && !pkcs11_interactive && >+ if (login_required && !pkcs11_interactive && > (pin == NULL || strlen(pin) == 0)) { > error("pin required"); > return (-SSH_PKCS11_ERR_PIN_REQUIRED); >@@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, > error("C_OpenSession failed: %lu", rv); > return (-1); > } >- if (login_required) { >- if (have_pinpad && (pin == NULL || strlen(pin) == 0)) { >- /* defer PIN entry to the reader keypad */ >- rv = f->C_Login(session, CKU_USER, NULL_PTR, 0); >- } else { >- if (pkcs11_interactive) { >- snprintf(prompt, sizeof(prompt), >- "Enter PIN for '%s': ", si->token.label); >- if ((xpin = read_passphrase(prompt, >- RP_ALLOW_EOF)) == NULL) { >- debug("%s: no pin specified", >- __func__); >- return (-SSH_PKCS11_ERR_PIN_REQUIRED); >- } >- pin = xpin; >- } >- rv = f->C_Login(session, CKU_USER, >- (u_char *)pin, strlen(pin)); >- if (xpin != NULL) >- freezero(xpin, strlen(xpin)); >- } >+ if (login_required && pin != NULL && strlen(pin) != 0) { >+ rv = f->C_Login(session, user, (u_char *)pin, strlen(pin)); > if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { > error("C_Login failed: %lu", rv); > ret = (rv == CKR_PIN_LOCKED) ?
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3327">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3006
: 3327