Tramp: Handle PIN requests from security keys

* doc/misc/tramp.texi (Frequently Asked Questions): Clarify FIDO entry.

* lisp/net/tramp-sh.el (tramp-actions-before-shell)
(tramp-actions-copy-out-of-band):
Use `tramp-security-key-pin-regexp'.

* lisp/net/tramp.el (tramp-security-key-pin-regexp): New defcustom.
(tramp-action-otp-password, tramp-read-passwd): Trim password prompt.
(tramp-action-show-and-confirm-message): Expand for PIN requests.

3 files changed, 30 insertions, 13 deletions

diff --git a/doc/misc/tramp.texi b/doc/misc/tramp.texi
index 56945d3071c..90824024c03 100644
--- a/doc/misc/tramp.texi
+++ b/doc/misc/tramp.texi
@@ -5238,9 +5238,14 @@ Does @value{tramp} support @acronym{SSH} security keys?
 Yes.  @command{OpenSSH} has added support for @acronym{FIDO} hardware
 devices via special key types @option{*-sk}.  @value{tramp} supports
 the additional handshaking messages for them.  This requires at least
-@command{OpenSSH} 8.2, and a @acronym{FIDO} @acronym{U2F} compatible
-security key, like yubikey, solokey, nitrokey, or titankey.
-
+@command{OpenSSH} 8.2, and a @acronym{FIDO} @acronym{U2F} or
+@acronym{FIDO2} compatible security key, like yubikey, solokey,
+nitrokey, or titankey.
+@c @uref{https://docs.fedoraproject.org/en-US/quick-docs/using-yubikeys/}
+
+@strong{Note} that there are reports on problems of handling yubikey
+residential keys by @command{ssh-agent}.  As workaround, you might
+disable @command{ssh-agent} for such keys.
 
 @item
 @value{tramp} does not connect to Samba or MS Windows hosts running
diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
index 68ee541bee6..3557b3a1b64 100644
--- a/lisp/net/tramp-sh.el
+++ b/lisp/net/tramp-sh.el
@@ -547,6 +547,7 @@ shell from reading its init file."
     (tramp-terminal-prompt-regexp tramp-action-terminal)
     (tramp-antispoof-regexp tramp-action-confirm-message)
     (tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
+    (tramp-security-key-pin-regexp tramp-action-otp-password)
     (tramp-process-alive-regexp tramp-action-process-alive))
   "List of pattern/action pairs.
 Whenever a pattern matches, the corresponding action is performed.
@@ -566,6 +567,7 @@ corresponding PATTERN matches, the ACTION function is called.")
     (tramp-wrong-passwd-regexp tramp-action-permission-denied)
     (tramp-copy-failed-regexp tramp-action-permission-denied)
     (tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
+    (tramp-security-key-pin-regexp tramp-action-otp-password)
     (tramp-process-alive-regexp tramp-action-out-of-band))
   "List of pattern/action pairs.
 This list is used for copying/renaming with out-of-band methods.
diff --git a/lisp/net/tramp.el b/lisp/net/tramp.el
index 8e114912527..ae59915b1e8 100644
--- a/lisp/net/tramp.el
+++ b/lisp/net/tramp.el
@@ -770,6 +770,13 @@ The regexp should match at end of buffer."
   :version "28.1"
   :type 'regexp)
 
+(defcustom tramp-security-key-pin-regexp
+  (rx bol (* "\r") (group "Enter PIN for " (* nonl)) (* (any "\r\n")))
+  "Regular expression matching security key PIN prompt.
+The regexp should match at end of buffer."
+  :version "29.3"
+  :type 'regexp)
+
 (defcustom tramp-operation-not-permitted-regexp
   (rx (| (: "preserving times" (* nonl)) "set mode") ":" (* blank)
       "Operation not permitted")
@@ -5435,7 +5442,7 @@ of."
           prompt)
       (goto-char (point-min))
       (tramp-check-for-regexp proc tramp-process-action-regexp)
-      (setq prompt (concat (match-string 1) " "))
+      (setq prompt (concat (string-trim (match-string 1)) " "))
       (tramp-message vec 3 "Sending %s" (match-string 1))
       ;; We don't call `tramp-send-string' in order to hide the
       ;; password from the debug buffer and the traces.
@@ -5511,14 +5518,16 @@ Wait, until the connection buffer changes."
         (ignore set-message-function clear-message-function)
         (tramp-message vec 6 "\n%s" (buffer-string))
         (tramp-check-for-regexp proc tramp-process-action-regexp)
-        (with-temp-message
-            (replace-regexp-in-string (rx (any "\r\n")) "" (match-string 0))
+        (with-temp-message (concat (string-trim (match-string 0)) " ")
           ;; Hide message in buffer.
           (narrow-to-region (point-max) (point-max))
           ;; Wait for new output.
           (while (not (ignore-error file-error
                         (tramp-wait-for-regexp
-                         proc 0.1 tramp-security-key-confirmed-regexp)))
+                         proc 0.1
+                         (rx (| (regexp tramp-security-key-confirmed-regexp)
+                                (regexp tramp-security-key-pin-regexp)
+                                (regexp tramp-security-key-timeout-regexp))))))
             (when (tramp-check-for-regexp proc tramp-security-key-timeout-regexp)
               (throw 'tramp-action 'timeout))
             (redisplay 'force))))))
@@ -6564,12 +6573,13 @@ Consults the auth-source package."
                    (tramp-get-connection-property key "login-as")))
          (host (tramp-file-name-host-port vec))
          (pw-prompt
-          (or prompt
-              (with-current-buffer (process-buffer proc)
-                (tramp-check-for-regexp proc tramp-password-prompt-regexp)
-                (if (string-match-p "passphrase" (match-string 1))
-                    (match-string 0)
-                  (format "%s for %s " (capitalize (match-string 1)) key)))))
+          (string-trim-left
+           (or prompt
+               (with-current-buffer (process-buffer proc)
+                 (tramp-check-for-regexp proc tramp-password-prompt-regexp)
+                 (if (string-match-p "passphrase" (match-string 1))
+                     (match-string 0)
+                   (format "%s for %s " (capitalize (match-string 1)) key))))))
          (auth-source-creation-prompts `((secret . ,pw-prompt)))
          ;; Use connection-local value.
          (auth-sources (buffer-local-value 'auth-sources (process-buffer proc)))