There is at least one patch in bugzilla for this. I haven't looked at it because I'm not very experienced with PKCS#11 and lack the hardware, but you might want to take a look and attach your patch to (one of) the existing bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2185 https://bugzilla.mindrot.org/show_bug.cgi?id=2240 On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote: > Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. > > PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. > > Dw. > > > commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a > Author: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx> > Date: Tue Mar 17 13:41:31 2015 +0100 > > Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) > > diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c > index c3a112f..b053332 100644 > --- a/ssh-pkcs11.c > +++ b/ssh-pkcs11.c > @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > si = &k11->provider->slotinfo[k11->slotidx]; > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { > if (!pkcs11_interactive) { > - error("need pin"); > + error("need pin%s", > + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) > + ? " entry on reader keypad" : ""); > return (-1); > } > - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", > - si->token.label); > - pin = read_passphrase(prompt, RP_ALLOW_EOF); > - if (pin == NULL) > - return (-1); /* bail out */ > + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { > + verbose("Deferring PIN entry to keypad of chipcard reader."); > + pin = NULL; > + } else { > + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", > + si->token.label); > + pin = read_passphrase(prompt, RP_ALLOW_EOF); > + if (pin == NULL) > + return (-1); /* bail out */ > + }; > + > rv = f->C_Login(si->session, CKU_USER, > (u_char *)pin, pin ? strlen(pin) : 0); > if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { > - free(pin); > + if (pin) free(pin); > error("C_Login failed: %lu", rv); > return (-1); > } > - free(pin); > + if (pin) free(pin); > si->logged_in = 1; > } > key_filter[1].pValue = k11->keyid; > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev