Bug 1843372
| Summary: | PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Fredrik Axelsson <fredrik.axelsson> | ||||||
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Marek Havrila <mhavrila> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 8.0 | CC: | asosedki, dbelyavs, mhavrila | ||||||
| Target Milestone: | rc | Keywords: | Triaged | ||||||
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openssh-8.0p1-7.el8 | Doc Type: | No Doc Update | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-11-09 19:32:04 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1694797 [details]
Proposed patch (from Fedora)
Thank you for the bug report and patch. I believe the pin should be set and reset outside of the iteration. It would be even simpler. Can you check if the attached patch works for you, or do you see some other potential problems with this solution?
Note, that there is a simple workaround to specify PKCS#11 URI that matches only one slot. Yes, the patch works and is simpler. I'm aware of the workaround but it still seems a good thing that the pin is not lost during token iteration. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openssh security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4368 |
Created attachment 1694727 [details] Patch to retain user provided pin over token iterations i ssh-pkcs11-helper Description of problem: When adding keys on smart card via pkcs11 to ssh-agent, ssh-pkcs11-helper iterates over tokes. After the first iteration, the user provided PIN is reset and login on subsequent tokens fail. Version-Release number of selected component (if applicable): openssh-clients 8.0p1-4el8_1 How reproducible: Always. Steps to Reproduce: eval $(ssh-agent -P path-to-pkcs11-lib/*) ssh-add -s path-to-pkcs11-lib/libpkcs11.so Actual results: Keys on token that is not the first listed in a slot is not found because the user provided PIN is reset. Expected results: Keys on second and subsequent tokens should be added to ssh-agent. Additional info: The patch openssh-8.0p-pkcs11-uri that is applied to openssh-8.0p implements the function pkcs11_register_provider_by_uri in ssh-pkcs11.c. The loop over tokens resets the pin argument. The attached patch is a proposed fix.