===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.324
retrieving revision 1.325
diff -u -r1.324 -r1.325
--- src/usr.bin/ssh/sshconnect2.c	2020/06/27 13:39:09	1.324
+++ src/usr.bin/ssh/sshconnect2.c	2020/08/27 01:06:18	1.325
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.324 2020/06/27 13:39:09 bket Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.325 2020/08/27 01:06:18 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1168,7 +1168,7 @@
 	struct sshkey *sign_key = NULL, *prv = NULL;
 	int r = SSH_ERR_INTERNAL_ERROR;
 	struct notifier_ctx *notifier = NULL;
-	char *fp = NULL;
+	char *fp = NULL, *pin = NULL, *prompt = NULL;
 
 	*sigp = NULL;
 	*lenp = 0;
@@ -1197,20 +1197,28 @@
 			goto out;
 		}
 		sign_key = prv;
-		if (sshkey_is_sk(sign_key) &&
-		    (sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
-			/* XXX match batch mode should just skip these keys? */
-			if ((fp = sshkey_fingerprint(sign_key,
-			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
-				fatal("%s: sshkey_fingerprint", __func__);
-			notifier = notify_start(options.batch_mode,
-			    "Confirm user presence for key %s %s",
-			    sshkey_type(sign_key), fp);
-			free(fp);
+		if (sshkey_is_sk(sign_key)) {
+			if ((sign_key->sk_flags &
+			    SSH_SK_USER_VERIFICATION_REQD)) {
+				xasprintf(&prompt, "Enter PIN for %s key %s: ",
+				    sshkey_type(sign_key), id->filename);
+				pin = read_passphrase(prompt, 0);
+			}
+			if ((sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+				/* XXX should batch mode just skip these? */
+				if ((fp = sshkey_fingerprint(sign_key,
+				    options.fingerprint_hash,
+				    SSH_FP_DEFAULT)) == NULL)
+					fatal("%s: fingerprint", __func__);
+				notifier = notify_start(options.batch_mode,
+				    "Confirm user presence for key %s %s",
+				    sshkey_type(sign_key), fp);
+				free(fp);
+			}
 		}
 	}
 	if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
-	    alg, options.sk_provider, compat)) != 0) {
+	    alg, options.sk_provider, pin, compat)) != 0) {
 		debug("%s: sshkey_sign: %s", __func__, ssh_err(r));
 		goto out;
 	}
@@ -1225,6 +1233,9 @@
 	/* success */
 	r = 0;
  out:
+	free(prompt);
+	if (pin != NULL)
+		freezero(pin, strlen(pin));
 	notify_complete(notifier);
 	sshkey_free(prv);
 	return r;