Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:
$ ssh -I /path/to/module user@xxxxxxxxxxx
Enter PIN for 'SSH key':
C_Login failed: 160
I'd prefer to receive a more useful message:
Login to PKCS#11 token failed: Incorrect PIN
I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too short, and PIN locked.
I've also tweaked the fallback error case to indicate that it is a
PKCS#11-specific error. Hope this is useful!
From 6e2f53a71e967b1e363c6f7d551ba9ac26314a72 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Feb 2020 18:13:12 -0800
Subject: [PATCH] Provide more user-friendly output on C_Login errors.
This handles CKR_PIN_INCORRECT, CKR_PIN_LEN_RANGE, and CKR_PIN_LOCKED,
which are the errors a user is most likely to see.
---
ssh-pkcs11.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index a302c79c..f5446c65 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -271,8 +271,20 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
(pin != NULL) ? strlen(pin) : 0);
if (pin != NULL)
freezero(pin, strlen(pin));
+ if (rv == CKR_PIN_LEN_RANGE) {
+ error("Login to PKCS#11 token failed: PIN too long or too short");
+ return (-1);
+ }
+ if (rv == CKR_PIN_INCORRECT) {
+ error("Login to PKCS#11 token failed: Incorrect PIN");
+ return (-1);
+ }
+ if (rv == CKR_PIN_LOCKED) {
+ error("Login to PKCS#11 token failed: PIN locked");
+ return (-1);
+ }
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
- error("C_Login failed: %lu", rv);
+ error("Login to PKCS#11 token failed with return code %lu", rv);
return (-1);
}
si->logged_in = 1;
--
2.20.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
