https://bugzilla.mindrot.org/show_bug.cgi?id=2890
--- Comment #9 from Jakub Jelen <[email protected]> --- (In reply to Damien Miller from comment #8) > I wonder if it wouldn't be better to cache the PIN in struct > pkcs11_slotinfo and automatically retry it instead of going back to > the user via ssh-askpass, which is problematic in the case of > ssh-agent. Well ... that would be the other, less secure option. And personally, I am not sure if I would be comfortable using that when I would have known that the pin is sitting somewhere in the memory unencrypted. Especially when we already encrypt private keys, the PIN would be very vulnerable. The other problem might be with some regulations. I probably don't care enough as I have just bunch of testing cards and personal yubikey, but in production when the smart card backed keys are used for accessing production servers, I would be something I would like to avoid. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
