We currently have no special handling for secure PIN entry (aka PIN pads). I've tested and checked that it is still possible to use ThinLinc with them, but the usability is horrible:
- The client will ask for a PIN, just as usual. Only after the PIN has been entere will the reader switch to secure mode and ask for a PIN though. That means that the user will enter their PIN twice, and no good feedback that they need to enter it on the pad.
- When doing the second connection to the agent, the PIN will need to be entered again on the pad. Again, there is no feedback from the client that this needs to be done.
Solving the feedback issues shouldn't be that difficult. We just need to make OpenSSH be aware of when a PIN pad is present and report that back to the client so that we can change the messages presented.
The bigger issue is that PIN pads prohibit our kind of cache-based SSO (by design). This means we need to implement bug 2545 to make login to ThinLinc smooth.