Bug#355274: updated patch
Hi,
please find attached an updated patch to the files in the debian/ subdirectory
so that only ONE additional package named openssh-client-opensc is created in
the build process, which is considered an alternative to openssh-client with
opensc-support.
This is possible because the opensc support is constricted to the client side.
It would be great, if you'd consider including opensc support into the openssh
client (at least as an alternative package).
In addition to the build infrastructure, I'll add the patch to ask for a
smartcard pin when ssh-agent is not running.
This latter patch can be included no matter whether opensc support is included
as all the code it changes is behind "defined(SMARTCARD)" which only gets
defined when smarccard support is included.
Thanks for maintaining openssh in Debian.
--
Peter Marschall
peter@adpm.de
diff -rubN debian/control debian/control
--- debian/control 2008-03-23 17:07:06.000000000 +0100
+++ debian/control 2008-03-23 15:50:11.000000000 +0100
@@ -2,7 +2,7 @@
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev, libopensc2-dev
Standards-Version: 3.7.3
Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org>
@@ -10,8 +10,8 @@
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
Recommends: xauth
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
-Replaces: ssh, ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7), openssh-client-opensc
+Replaces: ssh, ssh-krb5, openssh-client-opensc
Suggests: ssh-askpass, libpam-ssh, keychain
Provides: rsh-client, ssh-client
Description: secure shell client, an rlogin/rsh/rcp replacement
@@ -34,10 +34,39 @@
In some countries it may be illegal to use any encryption at all
without a special permit.
+Package: openssh-client-opensc
+Architecture: any
+Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
+Recommends: xauth
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7), openssh-client
+Replaces: ssh, ssh-krb5, openssh-client
+Suggests: ssh-askpass, libpam-ssh, keychain
+Provides: rsh-client, ssh-client
+Description: secure shell client, an rlogin/rsh/rcp replacement
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It is intended as a replacement for rlogin, rsh and rcp, and can be
+ used to provide applications with a secure communication channel.
+ .
+ This package provides the ssh, scp and sftp clients, the ssh-agent
+ and ssh-add programs to make public key authentication more convenient,
+ and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
+ This package was compiled with OpenSC support.
+ .
+ In some countries it may be illegal to use any encryption at all
+ without a special permit.
+
Package: openssh-server
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.0-6)
+Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}) | openssh-client-opensc (= ${binary:Version}), lsb-base (>= 3.0-6)
Recommends: xauth
Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5
@@ -64,7 +93,7 @@
Package: ssh
Priority: extra
Architecture: all
-Depends: openssh-client, openssh-server
+Depends: openssh-client | openssh-client-opensc, openssh-server
Description: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
@@ -73,7 +102,7 @@
Package: ssh-krb5
Priority: extra
Architecture: all
-Depends: openssh-client, openssh-server
+Depends: openssh-client | openssh-client-opensc, openssh-server
Description: secure shell client and server (transitional package)
This is a transitional package depending on the regular Debian OpenSSH
client and server, which now support GSSAPI natively. It will add the
@@ -84,7 +113,7 @@
Section: gnome
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5
+Depends: ${shlibs:Depends}, openssh-client | openssh-client-opensc | ssh (>= 1:1.2pre7-4) | ssh-krb5
Replaces: ssh (<< 1:3.5p1-3)
Provides: ssh-askpass
Description: interactive X program to prompt users for a passphrase for ssh-add
diff -rubN debian/openssh-client-opensc.config debian/openssh-client-opensc.config
--- debian/openssh-client-opensc.config 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.config 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+action=$1
+version=$2
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then
+ version=1.2.27
+ cp -a /etc/ssh-nonfree /etc/ssh
+fi
+
+# Was ssh-keysign's setuid bit turned off using the obsolete debconf
+# question? If so, turn this into a statoverride. (Ugh.)
+if dpkg --compare-versions "$2" lt 1:4.1p1-2 && \
+ db_get ssh/SUID_client && [ "$RET" = false ] &&
+ [ -x /usr/sbin/dpkg-statoverride ] && \
+ ! dpkg-statoverride --list /usr/lib/ssh-keysign && \
+ ! dpkg-statoverride --list /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --update --add root root 0755 \
+ /usr/lib/openssh/ssh-keysign
+fi
+
+exit 0
diff -rubN debian/openssh-client-opensc.dirs debian/openssh-client-opensc.dirs
--- debian/openssh-client-opensc.dirs 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.dirs 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1 @@
+usr/share/lintian/overrides
diff -rubN debian/openssh-client-opensc.links debian/openssh-client-opensc.links
--- debian/openssh-client-opensc.links 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.links 2008-03-23 15:59:51.000000000 +0100
@@ -0,0 +1 @@
+usr/share/doc/openssh-client usr/share/doc/openssh-client-opensc
diff -rubN debian/openssh-client-opensc.lintian debian/openssh-client-opensc.lintian
--- debian/openssh-client-opensc.lintian 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.lintian 2008-03-23 13:26:22.000000000 +0100
@@ -0,0 +1,2 @@
+openssh-client-opensc: setuid-binary usr/lib/openssh/ssh-keysign 4755 root/root
+openssh-client-opensc: no-debconf-templates
diff -rubN debian/openssh-client-opensc.postinst debian/openssh-client-opensc.postinst
--- debian/openssh-client-opensc.postinst 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.postinst 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1,115 @@
+#!/bin/sh -e
+
+action="$1"
+oldversion="$2"
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+umask 022
+
+if [ "$action" != configure ]
+ then
+ exit 0
+fi
+
+
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+
+ if [ -L /usr/bin/rsh ] &&
+ dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+ for cmd in rlogin rsh rcp ; do
+ [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+
+ [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+ done
+
+ rmdir /usr/bin/rsh.real
+ fi
+}
+
+create_alternatives() {
+# Create alternatives for the various r* tools.
+# Make sure we don't change existing alternatives that a user might have
+# changed, but clean up after some old alternatives that mistakenly pointed
+# rlogin and rcp to ssh.
+ update-alternatives --quiet --remove rlogin /usr/bin/ssh
+ update-alternatives --quiet --remove rcp /usr/bin/ssh
+ for cmd in rsh rlogin rcp; do
+ scmd="s${cmd#r}"
+ if ! update-alternatives --display "$cmd" | \
+ grep -q "$scmd"; then
+ update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
+ --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
+ fi
+ done
+}
+
+set_ssh_permissions() {
+ if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+ if [ -x /usr/sbin/dpkg-statoverride ] ; then
+ if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+ dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+ fi
+ fi
+ fi
+
+ # libexecdir changed, so migrate old statoverrides.
+ if [ -x /usr/sbin/dpkg-statoverride ] &&
+ override="$(dpkg-statoverride --list /usr/lib/ssh-keysign)"; then
+ override_user="${override%% *}"
+ override="${override#* }"
+ override_group="${override%% *}"
+ override="${override#* }"
+ override_mode="${override%% *}"
+ if dpkg-statoverride --update --add \
+ "$override_user" "$override_group" "$override_mode" \
+ /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --remove /usr/lib/ssh-keysign || true
+ fi
+ fi
+}
+
+fix_ssh_group() {
+ # Try to remove non-system group mistakenly created by 1:3.5p1-1.
+ # set_ssh_agent_permissions() below will re-create it properly.
+ if getent group ssh >/dev/null; then
+ delgroup --quiet ssh || true
+ fi
+}
+
+set_ssh_agent_permissions() {
+ if ! getent group ssh >/dev/null; then
+ addgroup --system --quiet ssh
+ fi
+ if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+ ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+ chgrp ssh /usr/bin/ssh-agent
+ chmod 2755 /usr/bin/ssh-agent
+ fi
+}
+
+commit_transfer_conffile () {
+ CONFFILE="$1"
+ if [ -e "$CONFFILE.moved-by-preinst" ]; then
+ rm -f "$CONFFILE.moved-by-preinst"
+ fi
+}
+
+
+fix_rsh_diversion
+create_alternatives
+set_ssh_permissions
+if [ "$2" = "1:3.5p1-1" ]; then
+ fix_ssh_group
+fi
+set_ssh_agent_permissions
+commit_transfer_conffile /etc/ssh/moduli
+commit_transfer_conffile /etc/ssh/ssh_config
+
+exit 0
diff -rubN debian/openssh-client-opensc.postrm debian/openssh-client-opensc.postrm
--- debian/openssh-client-opensc.postrm 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.postrm 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+abort_transfer_conffile () {
+ CONFFILE="$1"
+ if [ -e "$CONFFILE.moved-by-preinst" ]; then
+ echo >&2 "Aborting ownership transfer of conffile $CONFFILE ..."
+ mv -f "$CONFFILE.moved-by-preinst" "$CONFFILE"
+ return 0
+ fi
+}
+
+case $1 in
+ abort-install|abort-upgrade)
+ abort_transfer_conffile /etc/ssh/moduli
+ abort_transfer_conffile /etc/ssh/ssh_config
+ ;;
+ purge)
+ # Remove all non-conffiles that ssh might create, so that we
+ # can smoothly remove /etc/ssh if and only if the user
+ # hasn't dropped some other files in there. Conffiles have
+ # already been removed at this point.
+ rm -f /etc/ssh/moduli /etc/ssh/primes
+ rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+ rmdir --ignore-fail-on-non-empty /etc/ssh
+
+ delgroup --quiet ssh > /dev/null || true
+ ;;
+esac
+
+exit 0
diff -rubN debian/openssh-client-opensc.preinst debian/openssh-client-opensc.preinst
--- debian/openssh-client-opensc.preinst 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.preinst 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1,49 @@
+#! /bin/sh -e
+
+ETC_SSH_MODULI=@ETC_SSH_MODULI@
+
+ETC_SSH_SSH_CONFIG=@ETC_SSH_SSH_CONFIG@
+
+action="$1"
+version="$2"
+
+prepare_transfer_conffile () {
+ CONFFILE="$1"
+ TEXT="$2"
+ MODE="$3"
+ [ "$CONFFILES" ] || return 0
+ [ -e "$CONFFILE" ] || return 0
+
+ md5sum="$(md5sum "$CONFFILE" |sed -e 's/ .*//')"
+ old_md5sum="$(echo "$CONFFILES" | awk '$1 == "'"$CONFFILE"'" { print $2 }')"
+ if [ "$md5sum" = "$old_md5sum" ]; then
+ echo >&2 "Transferring ownership of conffile $CONFFILE ..."
+ # We have to write out the desired new text of the conffile,
+ # which is tricky in the preinst, hence the nasty way we
+ # have to hardcode the text here. Fortunately, this is only
+ # necessary with sarge's dpkg and older.
+ if echo "$TEXT" | head -n1 | grep -q '^@.*@$'; then
+ echo >&2 'Unsubstituted conffile text! Please report this bug.'
+ exit 1
+ fi
+ printf '%s' "$TEXT" >"$CONFFILE.dpkg-new"
+ chmod "$MODE" "$CONFFILE.dpkg-new"
+ mv -f "$CONFFILE" "$CONFFILE.moved-by-preinst"
+ mv -f "$CONFFILE.dpkg-new" "$CONFFILE"
+ return 0
+ fi
+}
+
+case $action in
+ install|upgrade)
+ if dpkg --compare-versions "$version" lt 0; then
+ CONFFILES="$(dpkg-query -W -f '${Conffiles}\n' ssh 2>/dev/null | sed 's/^ *//')"
+ prepare_transfer_conffile /etc/ssh/moduli "$ETC_SSH_MODULI" 0644
+ prepare_transfer_conffile /etc/ssh/ssh_config "$ETC_SSH_SSH_CONFIG" 0644
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff -rubN debian/openssh-client-opensc.prerm debian/openssh-client-opensc.prerm
--- debian/openssh-client-opensc.prerm 1970-01-01 01:00:00.000000000 +0100
+++ debian/openssh-client-opensc.prerm 2008-03-23 11:19:16.000000000 +0100
@@ -0,0 +1,39 @@
+#! /bin/sh
+# prerm script for ssh
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|deconfigure)
+ update-alternatives --quiet --remove rsh /usr/bin/ssh
+ update-alternatives --quiet --remove rlogin /usr/bin/slogin
+ update-alternatives --quiet --remove rcp /usr/bin/scp
+ ;;
+ upgrade)
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -rubN debian/rules debian/rules
--- debian/rules 2008-03-23 17:07:06.000000000 +0100
+++ debian/rules 2008-03-23 16:33:25.000000000 +0100
@@ -107,7 +107,7 @@
confflags += --with-ldflags='$(PIE_LDFLAGS)'
endif
-build: build-deb build-udeb
+build: build-deb build-deb-opensc build-udeb
build-deb: build-deb-stamp
build-deb-stamp:
@@ -127,6 +127,24 @@
touch build-deb-stamp
+build-deb-opensc: build-deb-opensc-stamp
+build-deb-opensc-stamp:
+ dh_testdir
+ mkdir -p build-deb-opensc
+ cd build-deb-opensc && ../configure $(confflags) --with-opensc=/usr
+
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
+ perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-deb-opensc/config.h
+endif
+ # Debian's /var/log/btmp has inappropriate permissions.
+ perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb-opensc/config.h
+
+ $(MAKE) -C build-deb-opensc -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
+ #$(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall'
+
+ touch build-deb-opensc-stamp
+
build-udeb: build-udeb-stamp
build-udeb-stamp:
dh_testdir
@@ -142,8 +160,8 @@
clean:
dh_testdir
- rm -f build-deb-stamp build-udeb-stamp
- rm -rf build-deb build-udeb
+ rm -f build-deb-stamp build-deb-opensc-stamp build-udeb-stamp
+ rm -rf build-deb build-deb-opensc build-udeb
$(MAKE) -C contrib clean
rm -f config.log
rm -f debian/ssh-askpass-gnome.png
@@ -159,10 +177,15 @@
dh_installdirs
$(MAKE) -C build-deb DESTDIR=`pwd`/debian/openssh-client install-nokeys
+ # do the same for the -opensc variant
+ $(MAKE) -C build-deb-opensc DESTDIR=`pwd`/debian/openssh-client-opensc install-nokeys
rm -f debian/openssh-client/etc/ssh/sshd_config
#Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
rm -f debian/openssh-client/usr/share/Ssh.bin
+ # do the same for the -opensc variant
+ rm -f debian/openssh-client-opensc/etc/ssh/sshd_config \
+ debian/openssh-client-opensc/usr/share/Ssh.bin
# Split off the server.
mv debian/openssh-client/usr/sbin/sshd debian/openssh-server/usr/sbin/
@@ -172,10 +195,23 @@
mv debian/openssh-client/usr/share/man/man8/sshd.8 debian/openssh-server/usr/share/man/man8/
mv debian/openssh-client/usr/share/man/man8/sftp-server.8 debian/openssh-server/usr/share/man/man8/
rmdir debian/openssh-client/usr/sbin debian/openssh-client/var/run/sshd
+ # remove the server parts for the -opensc variant
+ rm -f debian/openssh-client-opensc/usr/sbin/sshd \
+ debian/openssh-client-opensc/usr/lib/openssh/sftp-server \
+ debian/openssh-client-opensc/usr/share/man/man5/authorized_keys.5 \
+ debian/openssh-client-opensc/usr/share/man/man5/sshd_config.5 \
+ debian/openssh-client-opensc/usr/share/man/man8/sshd.8 \
+ debian/openssh-client-opensc/usr/share/man/man8/sftp-server.8
+ rmdir debian/openssh-client-opensc/usr/sbin debian/openssh-client-opensc/var/run/sshd
install -m 755 contrib/ssh-copy-id debian/openssh-client/usr/bin/ssh-copy-id
install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client/usr/share/man/man1/ssh-copy-id.1
install -m 644 debian/moduli.5 debian/openssh-client/usr/share/man/man5/moduli.5
+ # do the same for the -opensc variant
+ install -m 755 contrib/ssh-copy-id debian/openssh-client-opensc/usr/bin/ssh-copy-id
+ install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client-opensc/usr/share/man/man1/ssh-copy-id.1
+ install -m 644 debian/moduli.5 debian/openssh-client-opensc/usr/share/man/man5/moduli.5
+
install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass
install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1
@@ -183,6 +219,9 @@
install -m 755 debian/ssh-argv0 debian/openssh-client/usr/bin/ssh-argv0
install -m 644 debian/ssh-argv0.1 debian/openssh-client/usr/share/man/man1/ssh-argv0.1
+ # do the same for the -opensc variant
+ install -m 755 debian/ssh-argv0 debian/openssh-client-opensc/usr/bin/ssh-argv0
+ install -m 644 debian/ssh-argv0.1 debian/openssh-client-opensc/usr/share/man/man1/ssh-argv0.1
install -o root -g root debian/openssh-server.init debian/openssh-server/etc/init.d/ssh
install -o root -g root -m 644 debian/openssh-server.default debian/openssh-server/etc/default/ssh
@@ -199,12 +238,16 @@
sed -i '/\$$OpenBSD:/d' \
debian/openssh-client/etc/ssh/moduli \
debian/openssh-client/etc/ssh/ssh_config
+ # do the same for the -opensc variant
+ sed -i '/\$$OpenBSD:/d' \
+ debian/openssh-client-opensc/etc/ssh/moduli \
+ debian/openssh-client-opensc/etc/ssh/ssh_config
# Build architecture-independent files here.
binary-indep: binary-ssh binary-ssh-krb5
# Build architecture-dependent files here.
-binary-arch: binary-openssh-client binary-openssh-server
+binary-arch: binary-openssh-client binary-openssh-client-opensc binary-openssh-server
binary-arch: binary-ssh-askpass-gnome
binary-arch: binary-openssh-client-udeb binary-openssh-server-udeb
@@ -232,6 +275,32 @@
dh_md5sums
dh_builddeb
+binary-openssh-client-opensc: DH_OPTIONS=-popenssh-client-opensc
+binary-openssh-client-opensc: build install
+ dh_testdir
+ dh_testroot
+ dh_installdebconf
+ dh_installdocs OVERVIEW README README.dns README.tun debian/faq.html debian/README.Debian
+ dh_installchangelogs ChangeLog ChangeLog.gssapi
+ mv debian/openssh-client-opensc/usr/share/doc/openssh-client-opensc debian/openssh-client-opensc/usr/share/doc/openssh-client
+ install -m644 debian/openssh-client.lintian debian/openssh-client-opensc/usr/share/lintian/overrides/openssh-client-opensc
+ dh_link
+ dh_strip
+ dh_compress
+ dh_fixperms
+ chmod u+s debian/openssh-client-opensc/usr/lib/openssh/ssh-keysign
+ dh_installdeb
+ test ! -e debian/ssh/etc/ssh/ssh_prng_cmds \
+ || echo "/etc/ssh/ssh_prng_cmds" >> debian/openssh-client-opensc/DEBIAN/conffiles
+ perl -i debian/substitute-conffile.pl \
+ ETC_SSH_MODULI debian/openssh-client-opensc/etc/ssh/moduli \
+ ETC_SSH_SSH_CONFIG debian/openssh-client-opensc/etc/ssh/ssh_config \
+ debian/openssh-client-opensc/DEBIAN/preinst
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
binary-openssh-server: DH_OPTIONS=-popenssh-server
binary-openssh-server: build install
dh_testdir
@@ -342,6 +411,6 @@
.PHONY: build clean binary-indep binary-arch binary install
.PHONY: build-deb build-udeb
-.PHONY: binary-openssh-client binary-openssh-server binary-ssh
+.PHONY: binary-openssh-client binary-openssh-client-opensc binary-openssh-server binary-ssh
.PHONY: binary-ssh-krb5 binary-ssh-askpass-gnome
.PHONY: binary-openssh-client-udeb binary-openssh-server-udeb
#!/bin/sh -e
## openssh-4.7p1-ask_for_pin.patch by the OpenSC project
##
## DP: ask for SmartCard PIN in case ssh-agent is not used
## DP: stolen from opensc CVS
## DP: available also as attachment to #608 in OpenSSH's bugzilla
if [ $# -lt 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
case "$1" in
-patch)
patch $patch_opts -p0 < $0
test -d debian && echo `basename $0` >> debian/patchlist
;;
-unpatch)
test -f debian/patchlist && rm -f debian/patchlist
patch $patch_opts -p0 -R < $0
;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
;;
esac
exit 0
--- scard.c
+++ scard.c 2007-06-17 18:24:59.000000000 +0200
@@ -40,6 +40,9 @@
#include "misc.h"
#include "scard.h"
+/* currently unused */
+int ask_for_pin = 0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
--- scard.h
+++ scard.h 2007-06-17 18:24:59.000000000 +0200
@@ -31,6 +31,8 @@
#define SCARD_ERROR_NOCARD -2
#define SCARD_ERROR_APPLET -3
+extern int ask_for_pin;
+
Key **sc_get_keys(const char *, const char *);
void sc_close(void);
int sc_put_key(Key *, const char *);
--- scard-opensc.c
+++ scard-opensc.c 2007-06-17 18:24:59.000000000 +0200
@@ -43,6 +43,8 @@
#include "misc.h"
#include "scard.h"
+int ask_for_pin=0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
@@ -124,6 +126,7 @@
struct sc_pkcs15_prkey_info *key;
struct sc_pkcs15_object *pin_obj;
struct sc_pkcs15_pin_info *pin;
+ char *passphrase = NULL;
priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
if (priv == NULL)
@@ -161,24 +164,47 @@
goto err;
}
pin = pin_obj->data;
+
+ if (sc_pin)
+ passphrase = sc_pin;
+ else if (ask_for_pin) {
+ /* we need a pin but don't have one => ask for the pin */
+ char prompt[64];
+
+ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
+ key_obj->label ? key_obj->label : "smartcard key");
+ passphrase = read_passphrase(prompt, 0);
+ if (!passphrase || !strcmp(passphrase, ""))
+ goto err;
+ } else
+ /* no pin => error */
+ goto err;
+
r = sc_lock(card);
if (r) {
error("Unable to lock smartcard: %s", sc_strerror(r));
goto err;
}
- if (sc_pin != NULL) {
- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
- strlen(sc_pin));
+ r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
+ strlen(passphrase));
if (r) {
sc_unlock(card);
error("PIN code verification failed: %s",
sc_strerror(r));
goto err;
}
- }
+
*key_obj_out = key_obj;
+ if (!sc_pin) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
return 0;
err:
+ if (!sc_pin && passphrase) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
sc_close();
return -1;
}
--- ssh.c
+++ ssh.c 2007-06-17 18:24:59.000000000 +0200
@@ -1220,6 +1220,9 @@
#ifdef SMARTCARD
Key **keys;
+ if (!options.batch_mode)
+ ask_for_pin = 1;
+
if (options.smartcard_device != NULL &&
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
Reply to: