Patch for pinpad ssh-agent

Elmer Joandi <elmer@xxxxxxxxxx> · Fri, 1 Jan 2021 18:01:04 +0000 (UTC)

Hi,
I am using Pinpad with ssh-agent with Estonian ID card.
For past decade I have had to patch it in quite strange ways to work and be 
able to forward agent. Used up my old and active ID-cards.
Now it seems like almost done, but some small patch still for 8.4, to be able 
to do:  "ssh-add -s /usr/lib64/onepin-opensc-pkcs11.so"
Seems that P11 now also does not accept empty pin on pinpad, but accepts NULL 
pin. Strange what it would do with previous versions.

--- openssh-8.4p1/ssh-pkcs11.c	2021-01-01 21:27:04.603031751 +0200
+++ openssh-8.4p1.padlogin/ssh-pkcs11.c	2021-01-01 21:23:38.501031101 +0200
@@ -804,14 +804,21 @@
 	 CK_RV			rv;
 	 CK_SESSION_HANDLE	session;
 	 int			login_required, ret;
-
+	int			pinpad=0;
+	int 			pinLen=(pin==NULL)?0:strlen(pin);
 	 f = p->module->function_list;
 	 si = &p->module->slotinfo[slotidx];

-	login_required = si->token.flags & CKF_LOGIN_REQUIRED;
+	pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH ;
+	login_required = (si->token.flags & CKF_LOGIN_REQUIRED);

+	if (pinpad && pin !=NULL){
+		error("Pinpad pin set to zero");
+		pin=NULL;
+		pinLen=0;
+	}
 	 /* fail early before opening session */
-	if (login_required && !pkcs11_interactive &&
+	if (login_required && !pkcs11_interactive && !pinpad &&
 	     (pin == NULL || strlen(pin) == 0)) {
 		 error("pin required");
 		 return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@@ -821,8 +828,8 @@
 		 error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
 		 return (-1);
 	}
-	if (login_required && pin != NULL && strlen(pin) != 0) {
-		rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
+	if (login_required ) {
+		rv = f->C_Login(session, user, (u_char *)pin, pinLen);
 		 if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			 error("C_Login failed: %lu", rv);
 			 ret = (rv == CKR_PIN_LOCKED) ?


It would be interesting to be able to use remotely also the signing function 
via ssh, to sign from home at server for administrative purposes.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev






