When banner is enabled on the server, authenticating with a smart card in the ThinLinc client won't work. We never get the PIN prompt for the smart card and only see the banner message. When closing the banner message the login process is cancelled as if we never started it in the first place. Happens when using the client on all client platforms; Linux, Windows and macOS. Looking at the flow of things in tlclient.log it seems like things are happening in a sort of wierd order: 2019-08-28T11:05:06: SSH pid is 28860 2019-08-28T11:05:06: ssh[E]: CONFIRM HOST KEY: localhost ::1 22 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE29XA4X2q6vsUwOsmJa/XJwe5IyN6mKxfOyIXDYdEwq7LXPkZgqT0KawgODygKB7zr7RXT8cl7+7GnWTw+LRgM= 2019-08-28T11:05:06: Host key previously known. 2019-08-28T11:05:06: ssh[E]: NEXT AUTHMETHOD: none 2019-08-28T11:05:06: ssh[E]: BANNER: banner\ntest\n 2019-08-28T11:05:06: Unable to open card session 2019-08-28T11:05:06: Querying user for passphrase... 2019-08-28T11:05:06: Signature operation aborted by user 2019-08-28T11:05:07: Process 28860 exited with code 255 It seems like when tlclient is handling the banner, ssh keeps on going and sending other stuff on the line. Our banner code is probably written with some incorrect assumptions.
The fix should hopefully be as simple as getting the ssh client to wait for tlclient to finish showing the banner. E.g. turning it in to a prompt instead of just a message.
