Hi, It seems there is a bug with the pkcs11 feature where a zero-length PIN is accepted. I believe this is a bug, since the user might want to press return when asked for the PIN to ignore that slot/key. This is caused at pkcs11_rsa_private_encrypt: snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", si->token.label); pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ Actually a zero-length PIN will not cause a NULL to be returned, so it will still try to authenticate and fail the PIN login! Also, I think it would be great to support the CKF_* flags to provide some feedback to the user regarding PIN tries left remaining, something like this: if (info.flags & CKF_USER_PIN_COUNT_LOW) printf("WARNING: User PIN count low\n"); else if (info.flags & CKF_USER_PIN_FINAL_TRY) printf("WARNING: User PIN final try\n"); else if (info.flags & CKF_USER_PIN_LOCKED) /* Maybe we should bail out here, or just try to continue? */ printf("WARNING: User PIN reported locked\n"); Thanks, Nuno _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev