RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 1694727 [details]
Patch to retain user provided pin over token iterations i ssh-pkcs11-helper

Description of problem:

When adding keys on smart card via pkcs11 to ssh-agent, ssh-pkcs11-helper iterates over tokes. After the first iteration, the user provided PIN is reset and login on subsequent tokens fail.

Version-Release number of selected component (if applicable):

openssh-clients 8.0p1-4el8_1

How reproducible:

Always.

Steps to Reproduce:

eval $(ssh-agent -P path-to-pkcs11-lib/*)
ssh-add -s path-to-pkcs11-lib/libpkcs11.so

Actual results:

Keys on token that is not the first listed in a slot is not found because the user provided PIN is reset.

Expected results:

Keys on second and subsequent tokens should be added to ssh-agent.

Additional info:

The patch openssh-8.0p-pkcs11-uri that is applied to openssh-8.0p implements the function pkcs11_register_provider_by_uri in ssh-pkcs11.c. The loop over tokens resets the pin argument. The attached patch is a proposed fix.

Created attachment 1694797 [details]
Proposed patch (from Fedora)

Thank you for the bug report and patch. I believe the pin should be set and reset outside of the iteration. It would be even simpler. Can you check if the attached patch works for you, or do you see some other potential problems with this solution?

Note, that there is a simple workaround to specify PKCS#11 URI that matches only one slot.

Yes, the patch works and is simpler.

I'm aware of the workaround but it still seems a good thing that the pin is not lost during token iteration.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openssh security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4368