Bug#355274: openssh-client with smart card support
Package: openssh-client
Version: 1:4.2p1-7
Severity: wishlist
Tags: patch
Hi,
please support the use of smart cards in the openssh-client package.
The attached file contains the necessary patches
- to build an additional package 'openssh-client-sc' that uses
opensc to support smart cards
The package 'openssh-client-sc' conflicts with 'openss-client' and
'ssh' as well as 'openssh-server' are adapted to depent on either of
the client packages.
- that allow asking for the smart card pin in case ssh-agent isn't used
(from opensc CVS; also in bug #608 in OpenSSH's bugzilla)
Thanks in advance
Peter
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages openssh-client depends on:
ii adduser 3.80 Add and remove users and groups
ii debconf [debc 1.4.70 Debian configuration management sy
ii dpkg 1.13.16 package maintenance system for Deb
ii libc6 2.3.5-13 GNU C Library: Shared libraries an
ii libcomerr2 1.38+1.39-WIP-2005.12.31-1 common error description library
ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii libkrb53 1.4.3-5 MIT Kerberos runtime libraries
ii libncurses5 5.5-1 Shared libraries for terminal hand
ii libselinux1 1.28-4 SELinux shared libraries
ii libssl0.9.8 0.9.8a-7 SSL shared libraries
ii zlib1g 1:1.2.3-9 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
diff -rubN openssh-4.2p1/debian/control openssh-4.2p1/debian/control
--- openssh-4.2p1/debian/control 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/debian/control 2006-03-04 16:18:33.000000000 +0100
@@ -2,15 +2,15 @@
Section: net
Priority: standard
Maintainer: Matthew Vernon <matthew@debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 3), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 3), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev, libopensc2-dev
Standards-Version: 3.6.2
Uploaders: Colin Watson <cjwatson@debian.org>
Package: openssh-client
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0)
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5, openssh-client-sc
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5, openssh-client-sc
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -35,10 +35,39 @@
In some countries it may be illegal to use any encryption at all
without a special permit.
+Package: openssh-client-sc
+Architecture: any
+Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0)
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5, openssh-client
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5, openssh-client
+Suggests: ssh-askpass, xbase-clients
+Provides: rsh-client, ssh-client, openssh-client
+Description: Secure shell client, an rlogin/rsh/rcp replacement with smartcard support
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It is intended as a replacement for rlogin, rsh and rcp, and can be
+ used to provide applications with a secure communication channel.
+ .
+ This package provides the ssh, scp and sftp clients, the ssh-agent
+ and ssh-add programs to make public key authentication more convenient,
+ and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
+ .
+ --------------------------------------------------------------------
+ .
+ In some countries it may be illegal to use any encryption at all
+ without a special permit.
+
Package: openssh-server
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
+Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) | openssh-client-sc (= ${Source-Version})
Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
Suggests: ssh-askpass, xbase-clients, rssh
@@ -66,7 +95,7 @@
Package: ssh
Priority: extra
Architecture: all
-Depends: openssh-client, openssh-server
+Depends: openssh-client | openssh-client-sc, openssh-server
Description: Secure shell client and server (transitional package)
This is a transitional package depending on both the OpenSSH client and
the OpenSSH server, which are now in separate packages. You may remove
diff -rubN openssh-4.2p1/debian/openssh-client-sc.config openssh-4.2p1/debian/openssh-client-sc.config
--- openssh-4.2p1/debian/openssh-client-sc.config 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.config 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+action=$1
+version=$2
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then
+ version=1.2.27
+ cp -a /etc/ssh-nonfree /etc/ssh
+fi
+
+# Was ssh-keysign's setuid bit turned off using the obsolete debconf
+# question? If so, turn this into a statoverride. (Ugh.)
+if dpkg --compare-versions "$2" lt 1:4.1p1-2 && \
+ db_get ssh/SUID_client && [ "$RET" = false ] &&
+ [ -x /usr/sbin/dpkg-statoverride ] && \
+ ! dpkg-statoverride --list /usr/lib/ssh-keysign && \
+ ! dpkg-statoverride --list /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --update --add root root 0755 \
+ /usr/lib/openssh/ssh-keysign
+fi
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.dirs openssh-4.2p1/debian/openssh-client-sc.dirs
--- openssh-4.2p1/debian/openssh-client-sc.dirs 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.dirs 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1 @@
+usr/share/lintian/overrides
diff -rubN openssh-4.2p1/debian/openssh-client-sc.lintian openssh-4.2p1/debian/openssh-client-sc.lintian
--- openssh-4.2p1/debian/openssh-client-sc.lintian 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.lintian 2006-03-04 15:23:53.000000000 +0100
@@ -0,0 +1,2 @@
+openssh-client-sc: setuid-binary usr/lib/openssh/ssh-keysign 4755 root/root
+openssh-client-sc: no-debconf-templates
diff -rubN openssh-4.2p1/debian/openssh-client-sc.postinst openssh-4.2p1/debian/openssh-client-sc.postinst
--- openssh-4.2p1/debian/openssh-client-sc.postinst 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.postinst 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,106 @@
+#!/bin/sh -e
+
+action="$1"
+oldversion="$2"
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+umask 022
+
+if [ "$action" != configure ]
+ then
+ exit 0
+fi
+
+
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+
+ if [ -L /usr/bin/rsh ] &&
+ dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+ for cmd in rlogin rsh rcp ; do
+ [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+
+ [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+ done
+
+ rmdir /usr/bin/rsh.real
+ fi
+}
+
+create_alternatives() {
+# Create alternatives for the various r* tools.
+# Make sure we don't change existing alternatives that a user might have
+# changed, but clean up after some old alternatives that mistakenly pointed
+# rlogin and rcp to ssh.
+ update-alternatives --quiet --remove rlogin /usr/bin/ssh
+ update-alternatives --quiet --remove rcp /usr/bin/ssh
+ for cmd in rsh rlogin rcp; do
+ scmd="s${cmd#r}"
+ if ! update-alternatives --display "$cmd" | \
+ grep -q "$scmd"; then
+ update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
+ --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
+ fi
+ done
+}
+
+set_ssh_permissions() {
+ if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+ if [ -x /usr/sbin/dpkg-statoverride ] ; then
+ if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+ dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+ fi
+ fi
+ fi
+
+ # libexecdir changed, so migrate old statoverrides.
+ if [ -x /usr/sbin/dpkg-statoverride ] &&
+ override="$(dpkg-statoverride --list /usr/lib/ssh-keysign)"; then
+ override_user="${override%% *}"
+ override="${override#* }"
+ override_group="${override%% *}"
+ override="${override#* }"
+ override_mode="${override%% *}"
+ if dpkg-statoverride --update --add \
+ "$override_user" "$override_group" "$override_mode" \
+ /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --remove /usr/lib/ssh-keysign || true
+ fi
+ fi
+}
+
+fix_ssh_group() {
+ # Try to remove non-system group mistakenly created by 1:3.5p1-1.
+ # set_ssh_agent_permissions() below will re-create it properly.
+ if getent group ssh >/dev/null; then
+ delgroup --quiet ssh || true
+ fi
+}
+
+set_ssh_agent_permissions() {
+ if ! getent group ssh >/dev/null; then
+ addgroup --system --quiet ssh
+ fi
+ if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+ ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+ chgrp ssh /usr/bin/ssh-agent
+ chmod 2755 /usr/bin/ssh-agent
+ fi
+}
+
+
+fix_rsh_diversion
+create_alternatives
+set_ssh_permissions
+if [ "$2" = "1:3.5p1-1" ]; then
+ fix_ssh_group
+fi
+set_ssh_agent_permissions
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.postrm openssh-4.2p1/debian/openssh-client-sc.postrm
--- openssh-4.2p1/debian/openssh-client-sc.postrm 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.postrm 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+if [ "$1" = "purge" ]
+then
+ # Remove all non-conffiles that ssh might create, so that we can
+ # smoothly remove /etc/ssh if and only if the user hasn't dropped some
+ # other files in there. Conffiles have already been removed at this
+ # point.
+ rm -f /etc/ssh/moduli /etc/ssh/primes
+ rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+ rmdir --ignore-fail-on-non-empty /etc/ssh
+fi
+
+if [ "$1" = "purge" ] ; then
+ delgroup --quiet ssh > /dev/null || true
+fi
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.prerm openssh-4.2p1/debian/openssh-client-sc.prerm
--- openssh-4.2p1/debian/openssh-client-sc.prerm 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.prerm 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,39 @@
+#! /bin/sh
+# prerm script for ssh
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|deconfigure)
+ update-alternatives --quiet --remove rsh /usr/bin/ssh
+ update-alternatives --quiet --remove rlogin /usr/bin/slogin
+ update-alternatives --quiet --remove rcp /usr/bin/scp
+ ;;
+ upgrade)
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -rubN openssh-4.2p1/debian/rules openssh-4.2p1/debian/rules
--- openssh-4.2p1/debian/rules 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/debian/rules 2006-03-04 16:04:57.000000000 +0100
@@ -65,7 +65,7 @@
# Change the version string to include the Debian version
SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//')
-build: build-deb build-udeb
+build: build-deb build-sc-deb build-udeb
build-deb: build-deb-stamp
build-deb-stamp:
@@ -90,6 +90,23 @@
touch build-deb-stamp
+build-sc-deb: build-sc-deb-stamp
+build-sc-deb-stamp:
+ dh_testdir
+ mkdir -p build-sc-deb
+ cd build-sc-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit --with-kerberos5=/usr $(SELINUX) --with-opensc=/usr
+
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
+ perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-sc-deb/config.h
+endif
+ # Debian's /var/log/btmp has inappropriate permissions.
+ perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-sc-deb/config.h
+
+ $(MAKE) -C build-sc-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -std=gnu99 -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_EXTRAVERSION="\" $(SSH_EXTRAVERSION)\""'
+
+ touch build-sc-deb-stamp
+
build-udeb: build-udeb-stamp
build-udeb-stamp:
dh_testdir
@@ -105,8 +122,8 @@
clean:
dh_testdir
- rm -f build-deb-stamp build-udeb-stamp
- rm -rf build-deb build-udeb
+ rm -f build-deb-stamp build-sc-deb-stamp build-udeb-stamp
+ rm -rf build-deb build-sc-deb build-udeb
-$(MAKE) -C contrib clean
rm -f config.log
ifeq ($(PO2DEBCONF),yes)
@@ -136,10 +153,13 @@
dh_installdirs
$(MAKE) -C build-deb DESTDIR=`pwd`/debian/openssh-client install-nokeys
+ $(MAKE) -C build-sc-deb DESTDIR=`pwd`/debian/openssh-client-sc install-nokeys
rm -f debian/openssh-client/etc/ssh/sshd_config
+ rm -f debian/openssh-client-sc/etc/ssh/sshd_config
#Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
rm -f debian/openssh-client/usr/share/Ssh.bin
+ rm -f debian/openssh-client-sc/usr/share/Ssh.bin
# Split off the server.
mv debian/openssh-client/usr/sbin/sshd debian/openssh-server/usr/sbin/
@@ -148,10 +168,19 @@
mv debian/openssh-client/usr/share/man/man8/sshd.8 debian/openssh-server/usr/share/man/man8/
mv debian/openssh-client/usr/share/man/man8/sftp-server.8 debian/openssh-server/usr/share/man/man8/
rmdir debian/openssh-client/usr/sbin debian/openssh-client/var/run/sshd
+ rm -f debian/openssh-client-sc/usr/sbin/sshd
+ rm -f debian/openssh-client-sc/usr/lib/openssh/sftp-server
+ rm -f debian/openssh-client-sc/usr/share/man/man5/sshd_config.5
+ rm -f debian/openssh-client-sc/usr/share/man/man8/sshd.8
+ rm -f debian/openssh-client-sc/usr/share/man/man8/sftp-server.8
+ rmdir debian/openssh-client-sc/usr/sbin debian/openssh-client-sc/var/run/sshd
install -m 755 contrib/ssh-copy-id debian/openssh-client/usr/bin/ssh-copy-id
install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client/usr/share/man/man1/ssh-copy-id.1
install -m 644 debian/moduli.5 debian/openssh-client/usr/share/man/man5/moduli.5
+ install -m 755 contrib/ssh-copy-id debian/openssh-client-sc/usr/bin/ssh-copy-id
+ install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client-sc/usr/share/man/man1/ssh-copy-id.1
+ install -m 644 debian/moduli.5 debian/openssh-client-sc/usr/share/man/man5/moduli.5
if [ -f contrib/gnome-ssh-askpass2 ]; then \
install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass; \
@@ -163,6 +192,8 @@
install -m 755 debian/ssh-argv0 debian/openssh-client/usr/bin/ssh-argv0
install -m 644 debian/ssh-argv0.1 debian/openssh-client/usr/share/man/man1/ssh-argv0.1
+ install -m 755 debian/ssh-argv0 debian/openssh-client-sc/usr/bin/ssh-argv0
+ install -m 644 debian/ssh-argv0.1 debian/openssh-client-sc/usr/share/man/man1/ssh-argv0.1
install -o root -g root debian/openssh-server.init debian/openssh-server/etc/init.d/ssh
install -o root -g root -m 644 debian/openssh-server.default debian/openssh-server/etc/default/ssh
@@ -177,7 +208,7 @@
binary-indep: binary-ssh
# Build architecture-dependent files here.
-binary-arch: binary-openssh-client binary-openssh-server
+binary-arch: binary-openssh-client binary-openssh-client-sc binary-openssh-server
binary-arch: binary-ssh-askpass-gnome
binary-arch: binary-openssh-client-udeb binary-openssh-server-udeb
@@ -202,6 +233,28 @@
dh_md5sums
dh_builddeb
+binary-openssh-client-sc: DH_OPTIONS=-popenssh-client-sc
+binary-openssh-client-sc: build install
+ dh_testdir
+ dh_testroot
+ dh_installdebconf
+ dh_installdocs OVERVIEW README README.dns
+ cat debian/copyright.head LICENCE > debian/openssh-client-sc/usr/share/doc/openssh-client-sc/copyright
+ dh_installchangelogs ChangeLog
+ install -m644 debian/openssh-client.lintian debian/openssh-client-sc/usr/share/lintian/overrides/openssh-client-sc
+ mv debian/openssh-client-sc/usr/share/doc/openssh-client-sc debian/openssh-client-sc/usr/share/doc/openssh-client
+ dh_strip
+ dh_compress
+ dh_fixperms
+ chmod u+s debian/openssh-client-sc/usr/lib/openssh/ssh-keysign
+ dh_installdeb
+ test ! -e debian/ssh/etc/ssh/ssh_prng_cmds \
+ || echo "/etc/ssh/ssh_prng_cmds" >> debian/openssh-client-sc/DEBIAN/conffiles
+ dh_shlibdeps
+ dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER)) | debconf-2.0'
+ dh_md5sums
+ dh_builddeb
+
binary-openssh-server: DH_OPTIONS=-popenssh-server
binary-openssh-server: build install
dh_testdir
diff -rubN openssh-4.2p1/scard.c openssh-4.2p1/scard.c
--- openssh-4.2p1/scard.c 2004-05-13 08:15:48.000000000 +0200
+++ openssh-4.2p1/scard.c 2006-03-04 15:51:30.000000000 +0100
@@ -35,6 +35,9 @@
#include "misc.h"
#include "scard.h"
+/* currently unused */
+int ask_for_pin = 0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
diff -rubN openssh-4.2p1/scard.h openssh-4.2p1/scard.h
--- openssh-4.2p1/scard.h 2003-06-18 12:28:40.000000000 +0200
+++ openssh-4.2p1/scard.h 2006-03-04 15:51:30.000000000 +0100
@@ -33,6 +33,8 @@
#define SCARD_ERROR_NOCARD -2
#define SCARD_ERROR_APPLET -3
+extern int ask_for_pin;
+
Key **sc_get_keys(const char *, const char *);
void sc_close(void);
int sc_put_key(Key *, const char *);
diff -rubN openssh-4.2p1/scard-opensc.c openssh-4.2p1/scard-opensc.c
--- openssh-4.2p1/scard-opensc.c 2004-05-13 09:29:35.000000000 +0200
+++ openssh-4.2p1/scard-opensc.c 2006-03-04 15:51:30.000000000 +0100
@@ -38,6 +38,8 @@
#include "misc.h"
#include "scard.h"
+int ask_for_pin=0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
@@ -119,6 +121,7 @@
struct sc_pkcs15_prkey_info *key;
struct sc_pkcs15_object *pin_obj;
struct sc_pkcs15_pin_info *pin;
+ char *passphrase = NULL;
priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
if (priv == NULL)
@@ -156,24 +159,47 @@
goto err;
}
pin = pin_obj->data;
+
+ if (sc_pin)
+ passphrase = sc_pin;
+ else if (ask_for_pin) {
+ /* we need a pin but don't have one => ask for the pin */
+ char prompt[64];
+
+ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
+ key_obj->label ? key_obj->label : "smartcard key");
+ passphrase = read_passphrase(prompt, 0);
+ if (!passphrase || !strcmp(passphrase, ""))
+ goto err;
+ } else
+ /* no pin => error */
+ goto err;
+
r = sc_lock(card);
if (r) {
error("Unable to lock smartcard: %s", sc_strerror(r));
goto err;
}
- if (sc_pin != NULL) {
- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
- strlen(sc_pin));
+ r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
+ strlen(passphrase));
if (r) {
sc_unlock(card);
error("PIN code verification failed: %s",
sc_strerror(r));
goto err;
}
- }
+
*key_obj_out = key_obj;
+ if (!sc_pin) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
return 0;
err:
+ if (!sc_pin && passphrase) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
sc_close();
return -1;
}
diff -rubN openssh-4.2p1/ssh.c openssh-4.2p1/ssh.c
--- openssh-4.2p1/ssh.c 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/ssh.c 2006-03-04 15:51:30.000000000 +0100
@@ -1144,6 +1144,9 @@
#ifdef SMARTCARD
Key **keys;
+ if (!options.batch_mode)
+ ask_for_pin = 1;
+
if (options.smartcard_device != NULL &&
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
Reply to: