Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=2890

--- Comment #9 from Jakub Jelen <jjelen@redhat.com> ---
(In reply to Damien Miller from comment #8)
> I wonder if it wouldn't be better to cache the PIN in struct
> pkcs11_slotinfo and automatically retry it instead of going back to
> the user via ssh-askpass, which is problematic in the case of
> ssh-agent.

Well ... that would be the other, less secure option. And personally, I
am not sure if I would be comfortable using that when I would have
known that the pin is sitting somewhere in the memory unencrypted.
Especially when we already encrypt private keys, the PIN would be very
vulnerable.

The other problem might be with some regulations. I probably don't care
enough as I have just bunch of testing cards and personal yubikey, but
in production when the smart card backed keys are used for accessing
production servers, I would be something I would like to avoid.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs