Re: Call for testing: OpenSSH 6.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Op 18 aug. 2014, om 03:23 heeft Damien Miller <djm@xxxxxxxxxxx> het volgende geschreven:

With this fix:

> * ssh(1): Fix inverted test that caused PKCS#11 keys that were
>   explicitly listed in ssh_config or on the commandline not to be
>   preferred.

A fairly broad range of pin-keypad readers as often used in healthcare have sprung to live. Would be nice if you could
also apply patch below.

The gist of this change is that it will revert PIN entry to the keypad of the reader if such is available/mandatory.

Thanks,

Dw.

* Allow for PIN/password entry on the keypad of the chipcard reader.

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c96be3b..83b5f3a 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,21 +255,27 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", 
+				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
-			free(pin);
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+			verbose("Deferring PIN entry to keypad of chipcard reader.");
+			pin = NULL;
+		} else {
+			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+			    si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		};
+		if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) 
+                        != CKR_OK) {
+                        if (pin) free(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
+		if (pin) free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux