Bug 3130 - [PATCH] Readable return codes for pkcs11 identities
Summary: [PATCH] Readable return codes for pkcs11 identities
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.2p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_3
  Show dependency treegraph
 
Reported: 2020-03-06 04:46 AEDT by Jacob Hoffman-Andrews
Modified: 2021-04-23 15:01 AEST (History)
1 user (show)

See Also:

Attachments
Patch to provide readable return codes for pkcs11 identities (1.27 KB, patch)
2020-03-06 04:46 AEDT, Jacob Hoffman-Andrews 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jacob Hoffman-Andrews 2020-03-06 04:46:20 AEDT 
Created attachment 3360 [details]
Patch to provide readable return codes for pkcs11 identities

Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:

$ ssh -I /path/to/module user@example.com
Enter PIN for 'SSH key':
C_Login failed: 160

I'd prefer to receive a more useful message:

Login to PKCS#11 token failed: Incorrect PIN

I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too short, and PIN locked.
I've also tweaked the fallback error case to indicate that it is a
PKCS#11-specific error. Hope this is useful!
Comment 1 Damien Miller 2020-03-13 15:16:33 AEDT 
Thanks - I've committed a slightly tweaked version of your patch. It will be in OpenSSH 8.3
Comment 2 Damien Miller 2021-04-23 15:01:26 AEST 
closing resolved bugs as of 8.6p1 release