FS#62508 - [openssh] OpenSSH and PKCS#11 asking for two PINs when using smartcard login

Attached to Project: Arch Linux
Opened by Nicolas Glassey (Weby) - Tuesday, 30 April 2019, 05:54 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 17 January 2020, 21:21 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Starting with v. 8.0p1.1, I experience weird SmartCard login issues.
All hosts are asking for the smartcard Pin, even those who don't have the smartcard public key installed.

Furthermore, the login prompts for TWO separate pins (User PIN and User PIN (sig)), where it only asked for one before.

The login still works if I input the first PIN correctly. The second pin doesn't seem to have any effect : whether I enter it correctly or not, it really only depends on the first PIN being correct.
On a host that doesn't have the smartcard public key installed, entering a wrong pin doesn't have any other effect than giving me an error message on login, while still allowing me through.

Example screenshots attached.

Additional info:
First version where I noticed it : 8.0p1.1
Last verified working version : 7.9p1-1

Config :
Host *
PKCS11Provider /usr/lib/opensc-pkcs11.so
ServerAliveInterval 240
TCPKeepAlive yes

Steps to reproduce:
- Set up PKCS11Provider with /usr/lib/opensc-pkcs11.so
- Try to log in to any host, with any login, whether they have the corresponding smartcard public key installed or not

   ssh1.png (143.8 KiB)
   ssh2.png (102 KiB)
This task depends upon

Closed by  Gaetan Bisson (vesath)
Friday, 17 January 2020, 21:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  openssh-8.1p1-1 in [core] last October
Comment by Nicolas Glassey (Weby) - Tuesday, 30 April 2019, 06:03 GMT Comment by Gaetan Bisson (vesath) - Friday, 17 January 2020, 21:21 GMT
I've only just now become aware of this bug but it was fixed by OpenSSH 8.1 which was released in October. Please accept my apologies for our mishandling of your bug report.

Loading...