Skip to content

Move hardware key change pin stderr message to cliPrompt#54207

Merged
Joerger merged 1 commit intomasterfrom
joerger/tsh-default-pin-message
Apr 29, 2025
Merged

Move hardware key change pin stderr message to cliPrompt#54207
Joerger merged 1 commit intomasterfrom
joerger/tsh-default-pin-message

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Apr 22, 2025
edited
Loading

This stderr message should only be output for the CLIPrompt.

Note that ChangePIN is only called when the user provides the default pin or "", so the output now looks like:

Enter your YubiKey PIV PIN [blank to use default]:
// return OR 123456
The default PIN 123456 is not supported.
Please set a new 6-8 character PIN.
...

Alternatively we could pass the context of whether "" or the default pin was passed by the user to determine whether or not to display the extra line, but I think it doesn't hurt to always output it.

resolves #54144 (comment)

@Joerger Joerger requested review from gzdunek and zmb3 April 22, 2025 19:34
@github-actions github-actions Bot added size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Apr 22, 2025
zmb3
zmb3 reviewed Apr 22, 2025
View reviewed changes
Comment thread api/utils/keys/piv/pincache.go
return pin, nil
}

pin, err := prompt.AskPIN(ctx, requirement, keyInfo)
Copy link
Copy Markdown
Collaborator

@zmb3 zmb3 Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to put a timeout on this context so we don't end up with a prompt that sits unanswered forever and holds the mutex preventing other operations from completing?

Copy link
Copy Markdown
Contributor Author

@Joerger Joerger Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if that's necessary - an unanswered PIN prompt would result in a paused program, waiting for the signature requiring the PIN to complete. Though it wouldn't hurt to add a 1 minute timeout here.

@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Apr 22, 2025
@Joerger Joerger requested a review from zmb3 April 22, 2025 23:17
@Joerger Joerger changed the base branch from master to joerger/key-specific-pin-caching April 23, 2025 01:27
gzdunek
gzdunek reviewed Apr 23, 2025
View reviewed changes
Comment thread api/utils/keys/hardwarekey/cliprompt.go
// If an invalid PIN or PUK is provided, the user will be re-prompted until a
// valid value is provided.
func (c *cliPrompt) ChangePIN(ctx context.Context, _ ContextualKeyInfo) (*PINAndPUK, error) {
fmt.Fprintf(os.Stderr, "The default PIN %q is not supported.\n", DefaultPIN)
Copy link
Copy Markdown
Contributor

@gzdunek gzdunek Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're already showing the same message on line 116. Maybe it’s enough to display it only when the user actually enters the default PIN?

Copy link
Copy Markdown
Contributor

@espadolini espadolini Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sort of works as a warning against picking the default PIN, doesn't it?

Copy link
Copy Markdown
Contributor Author

@Joerger Joerger Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think the following flow would be bad UX:

Enter your YubiKey PIV PIN [blank to use default]:
// 123456
Please set a new 6-8 character PIN.
// 123456
The default PIN 123456 is not supported.

@Joerger Joerger mentioned this pull request Apr 23, 2025
Closed
Joerger added a commit that referenced this pull request Apr 23, 2025
@Joerger
Move hardware key change pin stderr message to cliPrompt (#54207)
be813ff
Joerger added a commit that referenced this pull request Apr 23, 2025
@Joerger
Move hardware key change pin stderr message to cliPrompt (#54207)
b480e0a
@Joerger Joerger requested a review from gzdunek April 23, 2025 22:44
Base automatically changed from joerger/key-specific-pin-caching to master April 23, 2025 23:06
@Joerger Joerger force-pushed the joerger/tsh-default-pin-message branch from d7546ea to f34564b Compare April 29, 2025 17:18
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from flyinghermit April 29, 2025 17:18
@Joerger Joerger force-pushed the joerger/tsh-default-pin-message branch from f34564b to 74fdfb7 Compare April 29, 2025 17:19
@Joerger Joerger enabled auto-merge April 29, 2025 17:20
@Joerger Joerger added this pull request to the merge queue Apr 29, 2025
Merged via the queue into master with commit a795626 Apr 29, 2025
41 checks passed
@Joerger Joerger deleted the joerger/tsh-default-pin-message branch April 29, 2025 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

@gzdunek gzdunek gzdunek approved these changes

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Joerger @espadolini @zmb3 @gzdunek