3432 – ssh-add: Skip PKCS11 pin prompt with TEE identity

Bug 3432 - ssh-add: Skip PKCS11 pin prompt with TEE identity

Summary: ssh-add: Skip PKCS11 pin prompt with TEE identity

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-add (show other bugs)
Version:	9.0p1
Hardware:	Other Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-14 01:55 AEST by Valerii
Modified:	2022-05-14 01:55 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valerii 2022-05-14 01:55:35 AEST

TEE Identity-based authentication provides functionality to
log in without a pin but using a User or Group identity.
The feature is valuable for embedded devices where there is no
user interaction.

With the TEE Identity authentication, the pin should be empty.

The use case is:
CKTEEC_LOGIN_TYPE=user ssh-add -s /usr/lib/libckteec.so.0

For TEE Identity-based auth pin should be provided as an
empty string. But in the current implementation, if a pin
is empty the message structure will not be populated with
the pin(see sshbuf_put_string). As a result, the error:
"pin required". As a solution add a new line character.

The details about the TEE Identity-based authentication:
OP-TEE/optee_os#4222

The implementation is in the following pull request:
https://github.com/openssh/openssh-portable/pull/318