[Bug 2652] PKCS11 login skipped if login required and no pin set

2021-10-13 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Ahmed Sayeed  changed:

   What|Removed |Added

 CC||ahmedsayeed1...@yahoo.com

--- Comment #26 from Ahmed Sayeed  ---
If you create a new TUI layout, don't include the status window, and
then change from a layout with the status window to the new one, gdb
crashes. http://www.compilatori.com/category/tech/

(gdb) layout src
(gdb) tui new-layout test src 2 cmd 1
http://www.acpirateradio.co.uk/category/tech/
(gdb) layout test
http://www.logoarts.co.uk/category/tech/
On Windows I get a STATUS_HEAP_CORRUPTION exception (0xc374).
It happens because tui_apply_current_layout() deletes all windows that
are no longer needed, but the status (locator) window is never
allocated dynamically.  http://www.slipstone.co.uk/category/tech/
If you create a new TUI layout, don't include the status window, and
then change from a layout with the status window to the new one, gdb
crashes.
http://embermanchester.uk/category/tech/
(gdb) layout src
(gdb) tui new-layout test src 2 cmd 1 http://connstr.net/category/tech/
(gdb) layout test
 http://joerg.li/category/tech/
On Windows I get a STATUS_HEAP_CORRUPTION exception (0xc374).
It happens because tui_apply http://www.jopspeech.com/category/tech/
_current_layout() deletes all windows that are no longer needed, but
the status (locator) window is never allocated dynamically.
http://www.wearelondonmade.com/category/tech/
If you create a new TUI layout, don't include the status window, and
then change from a layout with the status window to the new one, gdb
crashes. https://waytowhatsnext.com/category/property/

(gdb) layout src
(gdb) tui new-layout test src 2 cmd 1
http://www.iu-bloomington.com/category/property/
(gdb) layout test
https://komiya-dental.com/category/property/
On Windows I get a STATUS_HEAP_CORRUPTION exception (0xc374).
It happens because tui
http://www-look-4.com/category/tech/_apply_current_layout() deletes all
windows that are no longer needed, but the status (locator) window is
never allocated dynamically.
https://www.webb-dev.co.uk/category/property/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-05-02 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

 Status|RESOLVED|CLOSED

--- Comment #25 from Damien Miller  ---
Move resolved bugs -> CLOSED after 8.0 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #24 from Damien Miller  ---
This has been committed and will be in OpenSSH 8.0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #23 from Daniel Kucera  ---
Looks OK to me too.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #22 from Jakub Jelen  ---
The new patch looks good to me.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

 Blocks||2915


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

   Attachment #3032|0   |1
is obsolete||
   Attachment #3124|0   |1
is obsolete||
   Attachment #3125|0   |1
is obsolete||
   Assignee|unassigned-b...@mindrot.org |d...@mindrot.org

--- Comment #21 from Damien Miller  ---
Created attachment 3226
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3226=edit
update patch to post-ECDSA PKCS#11 key merge

This updates the patch after the PKCS#11 ECDSA code has landed. Note
that this patch is now atop the one on bug 2638

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

   Keywords||pkcs11

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #20 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #19)
> Maybe it still needs some care. I don't have a slovak EiD so I can
> not verify this use case.
> 
> Anyway, can you try the patch attached in the bug #2430? It should
> allow you to use the keys from ssh client and ssh-keygen by trying
> to login if there were no public keys visible before.

Yes, that patch works fine. First time it asks for pin using software
keypad reader, next times it works without asking.

Used command:

./ssh -I /usr/lib/eidklient/libpkcs11_sig_x64.so server

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #19 from Jakub Jelen  ---
Maybe it still needs some care. I don't have a slovak EiD so I can not
verify this use case.

Anyway, can you try the patch attached in the bug #2430? It should
allow you to use the keys from ssh client and ssh-keygen by trying to
login if there were no public keys visible before.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #18 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #17)
> Sorry, I forgot about the pinpad. For the reader virtual keypad, you
> need to use the patch that I attached to the comment #6 (applied to
> ssh-agent and ssh-pkcs11-provider, which complicates installation).
> 
> It should be still prompting for the pin, but if you just press
> enter, you should get past that and should allow to read the keys,
> if I see right.
> 
> Unfortunately, the ssh-add does not know if there is pinpad at that
> moment so it can not skip this prompt, but needs to send empty
> string in this case.

After applying patch:

it doesn't work with empty string pin:

$ ./ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
Enter passphrase for PKCS#11: 
Could not add card "/usr/lib/eidklient/libpkcs11_sig_x64.so": agent
refused operation

but it does with correct card pin:

$ ./ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
Enter passphrase for PKCS#11: 
Card added: /usr/lib/eidklient/libpkcs11_sig_x64.so

$ ./ssh-add -L
ssh-rsa B3... /usr/lib/eidklient/libpkcs11_sig_x64.so
ssh-rsa B3... /usr/lib/eidklient/libpkcs11_sig_x64.so
ssh-rsa B3... /usr/lib/eidklient/libpkcs11_sig_x64.so

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #17 from Jakub Jelen  ---
Sorry, I forgot about the pinpad. For the reader virtual keypad, you
need to use the patch that I attached to the comment #6 (applied to
ssh-agent and ssh-pkcs11-provider, which complicates installation).

It should be still prompting for the pin, but if you just press enter,
you should get past that and should allow to read the keys, if I see
right.

Unfortunately, the ssh-add does not know if there is pinpad at that
moment so it can not skip this prompt, but needs to send empty string
in this case.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Jakub Jelen  changed:

   What|Removed |Added

   Attachment #3124|1   |0
is obsolete||

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #16 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #15)
> One more thing. Will a *ssh-agent* work for you with stock OpenSSH?
> To my understanding, it already does a login before listing the
> keys, so a workaround could be using the keys from ssh-agent:
> 
>   eval `ssh-agent`
>   ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
>   ssh u...@moj.server.sk

$ ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
Enter passphrase for PKCS#11: 
Could not add card "/usr/lib/eidklient/libpkcs11_sig_x64.so": agent
refused operation

What kind of passphrase does it ask for? I tried card pin but without
success.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-26 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #15 from Jakub Jelen  ---
One more thing. Will a *ssh-agent* work for you with stock OpenSSH? To
my understanding, it already does a login before listing the keys, so a
workaround could be using the keys from ssh-agent:

  eval `ssh-agent`
  ssh-add -s /usr/lib/eidklient/libpkcs11_sig_x64.so
  ssh u...@moj.server.sk

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-23 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #14 from Jakub Jelen  ---
(In reply to Daniel Kucera from comment #13)
> (In reply to Jakub Jelen from comment #12)
> > Prompting for the PIN for public key operations is nothing we would
> > like to do automatically, so there really should be some switch to
> > do the login before listing the keys or the login should be proposed
> > explicitly by for example a PIN in PKCS#11 URI.
> 
> I see two reasonable options here: either to check return of all
> functions for CKR_USER_NOT_LOGGED_IN return code and retry them
> after login

If you do not see any objects on the card before login, you will not
get any such error so this will not resolve your problem in any way.

> or login always when CKF_LOGIN_REQUIRED is set.

That is not sane default behavior. With most of the cards, certificates
and public keys are visible without login. For the few others, there
should be configuration option to handle this case as I initially
proposed in the referenced bug.

> Moreover, not every time when you call login with NULL pin you are
> required to put it in. In my case the library ask for it only time
> to time (you can see my usecase here:
> https://blog.danman.eu/ssh-autentifikacia-s-eid-obcianskym-preukazom-
> pod-linuxom/ ) probably because it keeps the session with card open.

>From the log, it looks like CardOS V5.0 card, which should work also
with the latest OpenSC.

The PKCS#11 module you are using is probably somehow holding the login
state of your card and presents you its own PIN pad in GUI. That is
certainly not a standard behavior of PKCS#11 modules nor cards.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-23 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #13 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #12)
> 
> Prompting for the PIN for public key operations is nothing we would
> like to do automatically, so there really should be some switch to
> do the login before listing the keys or the login should be proposed
> explicitly by for example a PIN in PKCS#11 URI.

I see two reasonable options here: either to check return of all
functions for CKR_USER_NOT_LOGGED_IN return code and retry them after
login or login always when CKF_LOGIN_REQUIRED is set. 

Moreover, not every time when you call login with NULL pin you are
required to put it in. In my case the library ask for it only time to
time (you can see my usecase here:
https://blog.danman.eu/ssh-autentifikacia-s-eid-obcianskym-preukazom-pod-linuxom/
) probably because it keeps the session with card open.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #11 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #10)
> Thank you for testing the patch. But your changes again change the
> semantics and issue the pinpad login even if the PIN is NULL, which
> is not what you generally want.

But if CKF_LOGIN_REQUIRED is set why would one want to skip login?

> 
> Or is your card requiring the login also for the listing of public
> keys? What do you get if you try to list the public objects from
> pkcs11-tool?
> 
> pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so

My card requires login for absolutely everything

$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -O
Using slot 0 with a present token (0x1)
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l
-O
Using slot 0 with a present token (0x1)
Private Key Object; RSA 
  label:  571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID: ...
  Usage:  decrypt, sign
  Access: always authenticate
Certificate Object; type = X.509 cert
  label:  571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID: ...

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #10 from Jakub Jelen  ---
Thank you for testing the patch. But your changes again change the
semantics and issue the pinpad login even if the PIN is NULL, which is
not what you generally want.

Or is your card requiring the login also for the listing of public
keys? What do you get if you try to list the public objects from
pkcs11-tool?

pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #9 from Daniel Kucera  ---
This one I uploaded (patch_v2) works.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Daniel Kucera  changed:

   What|Removed |Added

   Attachment #3124|0   |1
is obsolete||

--- Comment #8 from Daniel Kucera  ---
Created attachment 3125
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3125=edit
patch_v2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #7 from Daniel Kucera  ---
Ahoj Jakub,

I tried it but it doesn't work:

$ ./ssh-keygen -D /usr/lib/eidklient/libpkcs11_sig_x64.so -e
cannot read public key from pkcs11
$

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2018-02-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Jakub Jelen  changed:

   What|Removed |Added

 CC||jje...@redhat.com

--- Comment #6 from Jakub Jelen  ---
Created attachment 3124
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3124=edit
allow deferring the PIN prompt to reader keyboard

Well ... the pkcs11_open_session() is called from pkcs11_add_provider()
and that is called either from ssh, ssh-pkcs11-helper or from
ssh-keygen.

 (1) The ssh and ssh-keygen call this function with NULL pin. The ssh
asks for the PIN later. This is fine.

 (2) The ssh-pkcs11-provider and ssh-keygen (CA signing) call this
function directly with pin as provided by user (can be zero-length
string), and in the second case can be also NULL (preferred way).

Given that, the first condition is certainly not useless. It makes
sense to fail before opening session if we know that we can not provide
a pin. There is possibility that the PIN provided by user (through
ssh-agent protocol) is empty string and in that case, we do not have
any way how to prompt for the PIN later. Theoretically, there is still
a way to ask using askpass, but it is not implemented at this moment.

But the other part is true. The interactive-login already detects the
CKF_PROTECTED_AUTHENTICATION_PATH flag, that is used for logging into
the token from reader keypad.

I believe the same thing should be also supported in the ssh-agent
process, but since the pin prompt is in different process than the
actual connection to PKCS#11 library, the user just needs to submit
empty PIN and it needs to be detected later in ssh-agent, but certainly
not based only on the PIN value, but on the proper flags of the token.

In the case of using reader keypad, the pin should be a NULL_PTR as
recommended by specification [1]. Daniel, can you try the attached
patch (should apply on master), if it solves your problem?

[1]
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2017-10-03 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #5 from Daniel Kucera  ---
(In reply to Damien Miller from comment #2)
> Comment on attachment 3032 [details]
> patch
> 
> >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
> >index d1f750db0..938535638 100644
> >--- a/ssh-pkcs11.c
> >+++ b/ssh-pkcs11.c
> >@@ -366,19 +366,16 @@ pkcs11_open_session(struct pkcs11_provider *p, 
> >CK_ULONG slotidx, char *pin)
> > 
> > f = p->function_list;
> > login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED;
> >-if (pin && login_required && !strlen(pin)) {
> >-error("pin required");
> >-return (-1);
> >-}
> >+
> 
> I'm not sure I understand why this section is removed - could you
> explain it?

Oh, I remember now: It's because if pin is not set (is null),
login_required is not evaluated so no error is returned so this check
is useless. 

And we don't even need to return error here, login can be performed by
external library after calling C_Login with pin set to zero.

CKF_LOGIN_REQUIRED only means C_Login has to be called, not that the
pin has to be set.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2017-08-10 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #4 from Daniel Kucera  ---
(In reply to Daniel Kucera from comment #3)
> Because in my case, the pkcs library says it requires login but if
> you don't pass it as argument to C_Login, it will ask for it. Thus
> we should not exit with error here.

* if you don't pass PIN as argument.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2017-08-10 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #3 from Daniel Kucera  ---
(In reply to Damien Miller from comment #2)
> Comment on attachment 3032 [details]
> patch
> 
> >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
> >index d1f750db0..938535638 100644
> >--- a/ssh-pkcs11.c
> >+++ b/ssh-pkcs11.c
> >@@ -366,19 +366,16 @@ pkcs11_open_session(struct pkcs11_provider *p, 
> >CK_ULONG slotidx, char *pin)
> > 
> > f = p->function_list;
> > login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED;
> >-if (pin && login_required && !strlen(pin)) {
> >-error("pin required");
> >-return (-1);
> >-}
> >+
> 
> I'm not sure I understand why this section is removed - could you
> explain it?

Because in my case, the pkcs library says it requires login but if you
don't pass it as argument to C_Login, it will ask for it. Thus we
should not exit with error here.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2017-08-10 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #2 from Damien Miller  ---
Comment on attachment 3032
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3032
patch

>diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
>index d1f750db0..938535638 100644
>--- a/ssh-pkcs11.c
>+++ b/ssh-pkcs11.c
>@@ -366,19 +366,16 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG 
>slotidx, char *pin)
> 
>   f = p->function_list;
>   login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED;
>-  if (pin && login_required && !strlen(pin)) {
>-  error("pin required");
>-  return (-1);
>-  }
>+

I'm not sure I understand why this section is removed - could you
explain it?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

2017-08-10 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2652

Damien Miller  changed:

   What|Removed |Added

 CC||d...@mindrot.org

--- Comment #1 from Damien Miller  ---
Created attachment 3032
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3032=edit
patch

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs