Hi,
It seems there is a bug with the pkcs11 feature where a zero-length
PIN is accepted. I believe this is a bug, since the user might want to
press return when asked for the PIN to ignore that slot/key.
This is caused at pkcs11_rsa_private_encrypt:
snprintf(prompt, sizeof(prompt),
"Enter PIN for '%s': ", si->token.label);
pin = read_passphrase(prompt, RP_ALLOW_EOF);
if (pin == NULL)
return (-1); /* bail out */
Actually a zero-length PIN will not cause a NULL to be returned, so it
will still try to authenticate and fail the PIN login!
Also, I think it would be great to support the CKF_* flags to provide
some feedback to the user regarding PIN tries left remaining,
something like this:
if (info.flags & CKF_USER_PIN_COUNT_LOW)
printf("WARNING: User PIN count low\n");
else if (info.flags & CKF_USER_PIN_FINAL_TRY)
printf("WARNING: User PIN final try\n");
else if (info.flags & CKF_USER_PIN_LOCKED) /* Maybe we should bail out
here, or just try to continue? */
printf("WARNING: User PIN reported locked\n");
Thanks,
Nuno
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
