Bug 2429

Summary: ssh-keygen ignores keys that have CKA_ID == 0
Product: Portable OpenSSH Reporter: Jakub Jelen <jjelen>
Component: SmartcardAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P5    
Version: 6.9p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2403    
Attachments:
Description Flags
Do not require to return ID from token none

Description Jakub Jelen 2015-07-16 00:29:24 AEST 
Created attachment 2670 [details]
Do not require to return ID from token

Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. The another is problem again with softHSM. It is returning empty ID, which is not handled by keygen correctly.

The length check was added based on the bug #1773. It is fine to skip certificates that have empty values. But requiring non-empty ID is not preferred way because:
 * the ID is not used anywhere in ssh-keygen
 * some tokens do not provide ID

The example is again softHSM2 token, which returns ID length of zero and in current ssh-keygen is silently ignored.
This token has also the need to login, before even public key can be accessed (not rare example), but it will be described in other report, since it will require more changes.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1241873
Comment 1 Damien Miller 2015-07-17 11:59:39 AEST 
FWIW PKCS#11 does allow CKA_ID to be empty, so we should support this
Comment 2 Damien Miller 2015-07-18 18:02:57 AEST 
applied - thanks!
Comment 3 Damien Miller 2016-08-02 10:40:46 AEST 
Close all resolved bugs after 7.3p1 release