Op 18 aug. 2014, om 03:23 heeft Damien Miller <djm@xxxxxxxxxxx> het volgende geschreven: With this fix: > * ssh(1): Fix inverted test that caused PKCS#11 keys that were > explicitly listed in ssh_config or on the commandline not to be > preferred. A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could also apply patch below. The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory. Thanks, Dw. * Allow for PIN/password entry on the keypad of the chipcard reader. diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c96be3b..83b5f3a 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { - free(pin); + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", + si->token.label); + pin = read_passphrase(prompt, RP_ALLOW_EOF); + if (pin == NULL) + return (-1); /* bail out */ + }; + if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) + != CKR_OK) { + if (pin) free(pin); error("C_Login failed: %lu", rv); return (-1); } - free(pin); + if (pin) free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev