[PATCH] Readable return codes for pkcs11 identities

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Right now, if I typo my PIN for a PKCS#11 token, I get the inscrutable message:

$ ssh -I /path/to/module user@xxxxxxxxxxx
Enter PIN for 'SSH key':
C_Login failed: 160

I'd prefer to receive a more useful message:

Login to PKCS#11 token failed: Incorrect PIN

I've attached a patch that adds specific handling for three common
error cases: Incorrect PIN, PIN too long or too short, and PIN locked.
I've also tweaked the fallback error case to indicate that it is a
PKCS#11-specific error. Hope this is useful!
From 6e2f53a71e967b1e363c6f7d551ba9ac26314a72 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Feb 2020 18:13:12 -0800
Subject: [PATCH] Provide more user-friendly output on C_Login errors.

This handles CKR_PIN_INCORRECT, CKR_PIN_LEN_RANGE, and CKR_PIN_LOCKED,
which are the errors a user is most likely to see.
---
 ssh-pkcs11.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index a302c79c..f5446c65 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -271,8 +271,20 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
 	    (pin != NULL) ? strlen(pin) : 0);
 	if (pin != NULL)
 		freezero(pin, strlen(pin));
+	if (rv == CKR_PIN_LEN_RANGE) {
+		error("Login to PKCS#11 token failed: PIN too long or too short");
+		return (-1);
+	}
+	if (rv == CKR_PIN_INCORRECT) {
+		error("Login to PKCS#11 token failed: Incorrect PIN");
+		return (-1);
+	}
+	if (rv == CKR_PIN_LOCKED) {
+		error("Login to PKCS#11 token failed: PIN locked");
+		return (-1);
+	}
 	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
-		error("C_Login failed: %lu", rv);
+		error("Login to PKCS#11 token failed with return code %lu", rv);
 		return (-1);
 	}
 	si->logged_in = 1;
-- 
2.20.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux