upstream: If a signature operation on a FIDO key fails with a
"incorrect PIN" reason and no PIN was initially requested from the user, then
request a PIN and retry the operation.
This smoothes over a few corner cases including FIDO devices that
require PINs for all hosted credentials, biometric FIDO devices that
fall back to requiring PIN when reading the biometric failed, devices
that don't implement reading credProtect status for downloaded keys
and probably a few more cases that I haven't though of yet.
ok dtucker@
OpenBSD-Commit-ID:
176db8518933d6a5bbf81a2e3cf62447158dc878
projects / thirdparty / openssh-portable.git / commit
