https://bugzilla.mindrot.org/show_bug.cgi?id=3006
--- Comment #2 from Jakub Jelen <[email protected]> --- (In reply to Damien Miller from comment #1) > So I don't understand what is going wrong here - all the login cases > I can see occur either inside blocks that test CKF_LOGIN_REQUIRED or > are in the signature path. > > Is CKF_LOGIN_REQUIRED not a sufficient indicator? This flag is the source of confusion. It does not say the login is required for all actions, but for *some* cryptographic functions [1]: > True if there are some cryptographic functions that a user MUST be logged in > to perform For most of the cards, the login is not needed for listing public keys and certificates (for example from ssh-keygen or from pubkey authentication tries without signature). > Also, wouldn't reverting the patches mentioned in your email undo > the changes to support readers with integral pinpads? No, the support for readers with pinpad is in pkcs11_login() (or in pkcs11_login_slot() after the patch from bug #2430), which either defers the login to the pinpad or asks pin from user. The pkcs11_open_session() should really keep its semantics as described in the comment above it -- if the pin is null, no login should be performed. What was the issue in the bug #2652 was the same issue as in bug #2430 -- the public objects are not visible without login, as shown in the following comment (-l switch in pkcs11-tool is a request to login), regardkess the pinpad: https://bugzilla.mindrot.org/show_bug.cgi?id=2652#c11 I hope it is more clear. If not, please ask further. [1] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959687 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
