Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. Dw. commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a Author: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx> Date: Tue Mar 17 13:41:31 2015 +0100 Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c3a112f..b053332 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? " entry on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", + si->token.label); + pin = read_passphrase(prompt, RP_ALLOW_EOF); + if (pin == NULL) + return (-1); /* bail out */ + }; + rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, pin ? strlen(pin) : 0); if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { - free(pin); + if (pin) free(pin); error("C_Login failed: %lu", rv); return (-1); } - free(pin); + if (pin) free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev