diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 74946da0..347e348c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.324 2020/06/27 13:39:09 bket Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.325 2020/08/27 01:06:18 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1175,7 +1175,7 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, struct sshkey *sign_key = NULL, *prv = NULL; int r = SSH_ERR_INTERNAL_ERROR; struct notifier_ctx *notifier = NULL; - char *fp = NULL; + char *fp = NULL, *pin = NULL, *prompt = NULL; *sigp = NULL; *lenp = 0; @@ -1204,20 +1204,28 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, goto out; } sign_key = prv; - if (sshkey_is_sk(sign_key) && - (sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { - /* XXX match batch mode should just skip these keys? */ - if ((fp = sshkey_fingerprint(sign_key, - options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint", __func__); - notifier = notify_start(options.batch_mode, - "Confirm user presence for key %s %s", - sshkey_type(sign_key), fp); - free(fp); + if (sshkey_is_sk(sign_key)) { + if ((sign_key->sk_flags & + SSH_SK_USER_VERIFICATION_REQD)) { + xasprintf(&prompt, "Enter PIN for %s key %s: ", + sshkey_type(sign_key), id->filename); + pin = read_passphrase(prompt, 0); + } + if ((sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { + /* XXX should batch mode just skip these? */ + if ((fp = sshkey_fingerprint(sign_key, + options.fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint", __func__); + notifier = notify_start(options.batch_mode, + "Confirm user presence for key %s %s", + sshkey_type(sign_key), fp); + free(fp); + } } } if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen, - alg, options.sk_provider, compat)) != 0) { + alg, options.sk_provider, pin, compat)) != 0) { debug("%s: sshkey_sign: %s", __func__, ssh_err(r)); goto out; } @@ -1232,6 +1240,9 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, /* success */ r = 0; out: + free(prompt); + if (pin != NULL) + freezero(pin, strlen(pin)); notify_complete(notifier); sshkey_free(prv); return r; |