don't prompt for FIDO passphrase before attempting to enroll the

credential, just let the enroll operating fail and we'll attempt
to get a PIN anyway. Might avoid some unneccessary PIN prompts.

Part of GHPR#302 from Corinna Vinschen; ok dtucker@

diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index f50d5ae..556679d 100644 (file)
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.457 2022/07/20 03:33:22 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.458 2022/08/05 05:01:40 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3265,7 +3265,7 @@ usage(void)
 int
 main(int argc, char **argv)
 {
-       char comment[1024], *passphrase;
+       char comment[1024], *passphrase = NULL;
        char *rr_hostname = NULL, *ep, *fp, *ra;
        struct sshkey *private, *public;
        struct passwd *pw;
@@ -3775,13 +3775,6 @@ main(int argc, char **argv)
                }
                if ((attest = sshbuf_new()) == NULL)
                        fatal("sshbuf_new failed");
-               if ((sk_flags &
-                   (SSH_SK_USER_VERIFICATION_REQD|SSH_SK_RESIDENT_KEY))) {
-                       passphrase = read_passphrase("Enter PIN for "
-                           "authenticator: ", RP_ALLOW_STDIN);
-               } else {
-                       passphrase = NULL;
-               }
                r = 0;
                for (i = 0 ;;) {
                        if (!quiet) {