--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-client with smart card support
- From: Peter Marschall <peter@adpm.de>
- Date: Sat, 04 Mar 2006 17:52:03 +0100
- Message-id: <20060304165203.7491.83886.reportbug@ant.adpm.de>
Package: openssh-client
Version: 1:4.2p1-7
Severity: wishlist
Tags: patch
Hi,
please support the use of smart cards in the openssh-client package.
The attached file contains the necessary patches
- to build an additional package 'openssh-client-sc' that uses
opensc to support smart cards
The package 'openssh-client-sc' conflicts with 'openss-client' and
'ssh' as well as 'openssh-server' are adapted to depent on either of
the client packages.
- that allow asking for the smart card pin in case ssh-agent isn't used
(from opensc CVS; also in bug #608 in OpenSSH's bugzilla)
Thanks in advance
Peter
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages openssh-client depends on:
ii adduser 3.80 Add and remove users and groups
ii debconf [debc 1.4.70 Debian configuration management sy
ii dpkg 1.13.16 package maintenance system for Deb
ii libc6 2.3.5-13 GNU C Library: Shared libraries an
ii libcomerr2 1.38+1.39-WIP-2005.12.31-1 common error description library
ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii libkrb53 1.4.3-5 MIT Kerberos runtime libraries
ii libncurses5 5.5-1 Shared libraries for terminal hand
ii libselinux1 1.28-4 SELinux shared libraries
ii libssl0.9.8 0.9.8a-7 SSL shared libraries
ii zlib1g 1:1.2.3-9 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
diff -rubN openssh-4.2p1/debian/control openssh-4.2p1/debian/control
--- openssh-4.2p1/debian/control 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/debian/control 2006-03-04 16:18:33.000000000 +0100
@@ -2,15 +2,15 @@
Section: net
Priority: standard
Maintainer: Matthew Vernon <matthew@debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 3), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, libedit-dev, groff, debhelper (>= 3), sharutils, libselinux1-dev [alpha amd64 arm armeb hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev, libopensc2-dev
Standards-Version: 3.6.2
Uploaders: Colin Watson <cjwatson@debian.org>
Package: openssh-client
Architecture: any
Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0)
-Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
-Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5, openssh-client-sc
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5, openssh-client-sc
Suggests: ssh-askpass, xbase-clients
Provides: rsh-client, ssh-client
Description: Secure shell client, an rlogin/rsh/rcp replacement
@@ -35,10 +35,39 @@
In some countries it may be illegal to use any encryption at all
without a special permit.
+Package: openssh-client-sc
+Architecture: any
+Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0)
+Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5, openssh-client
+Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5, openssh-client
+Suggests: ssh-askpass, xbase-clients
+Provides: rsh-client, ssh-client, openssh-client
+Description: Secure shell client, an rlogin/rsh/rcp replacement with smartcard support
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It is intended as a replacement for rlogin, rsh and rcp, and can be
+ used to provide applications with a secure communication channel.
+ .
+ This package provides the ssh, scp and sftp clients, the ssh-agent
+ and ssh-add programs to make public key authentication more convenient,
+ and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
+ .
+ --------------------------------------------------------------------
+ .
+ In some countries it may be illegal to use any encryption at all
+ without a special permit.
+
Package: openssh-server
Priority: optional
Architecture: any
-Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version})
+Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) | openssh-client-sc (= ${Source-Version})
Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5
Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11), ssh-krb5
Suggests: ssh-askpass, xbase-clients, rssh
@@ -66,7 +95,7 @@
Package: ssh
Priority: extra
Architecture: all
-Depends: openssh-client, openssh-server
+Depends: openssh-client | openssh-client-sc, openssh-server
Description: Secure shell client and server (transitional package)
This is a transitional package depending on both the OpenSSH client and
the OpenSSH server, which are now in separate packages. You may remove
diff -rubN openssh-4.2p1/debian/openssh-client-sc.config openssh-4.2p1/debian/openssh-client-sc.config
--- openssh-4.2p1/debian/openssh-client-sc.config 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.config 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+action=$1
+version=$2
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then
+ version=1.2.27
+ cp -a /etc/ssh-nonfree /etc/ssh
+fi
+
+# Was ssh-keysign's setuid bit turned off using the obsolete debconf
+# question? If so, turn this into a statoverride. (Ugh.)
+if dpkg --compare-versions "$2" lt 1:4.1p1-2 && \
+ db_get ssh/SUID_client && [ "$RET" = false ] &&
+ [ -x /usr/sbin/dpkg-statoverride ] && \
+ ! dpkg-statoverride --list /usr/lib/ssh-keysign && \
+ ! dpkg-statoverride --list /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --update --add root root 0755 \
+ /usr/lib/openssh/ssh-keysign
+fi
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.dirs openssh-4.2p1/debian/openssh-client-sc.dirs
--- openssh-4.2p1/debian/openssh-client-sc.dirs 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.dirs 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1 @@
+usr/share/lintian/overrides
diff -rubN openssh-4.2p1/debian/openssh-client-sc.lintian openssh-4.2p1/debian/openssh-client-sc.lintian
--- openssh-4.2p1/debian/openssh-client-sc.lintian 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.lintian 2006-03-04 15:23:53.000000000 +0100
@@ -0,0 +1,2 @@
+openssh-client-sc: setuid-binary usr/lib/openssh/ssh-keysign 4755 root/root
+openssh-client-sc: no-debconf-templates
diff -rubN openssh-4.2p1/debian/openssh-client-sc.postinst openssh-4.2p1/debian/openssh-client-sc.postinst
--- openssh-4.2p1/debian/openssh-client-sc.postinst 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.postinst 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,106 @@
+#!/bin/sh -e
+
+action="$1"
+oldversion="$2"
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+umask 022
+
+if [ "$action" != configure ]
+ then
+ exit 0
+fi
+
+
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+
+ if [ -L /usr/bin/rsh ] &&
+ dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+ for cmd in rlogin rsh rcp ; do
+ [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+
+ [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+ dpkg-divert --package ssh --remove --rename \
+ --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+ done
+
+ rmdir /usr/bin/rsh.real
+ fi
+}
+
+create_alternatives() {
+# Create alternatives for the various r* tools.
+# Make sure we don't change existing alternatives that a user might have
+# changed, but clean up after some old alternatives that mistakenly pointed
+# rlogin and rcp to ssh.
+ update-alternatives --quiet --remove rlogin /usr/bin/ssh
+ update-alternatives --quiet --remove rcp /usr/bin/ssh
+ for cmd in rsh rlogin rcp; do
+ scmd="s${cmd#r}"
+ if ! update-alternatives --display "$cmd" | \
+ grep -q "$scmd"; then
+ update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
+ --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
+ fi
+ done
+}
+
+set_ssh_permissions() {
+ if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+ if [ -x /usr/sbin/dpkg-statoverride ] ; then
+ if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+ dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+ fi
+ fi
+ fi
+
+ # libexecdir changed, so migrate old statoverrides.
+ if [ -x /usr/sbin/dpkg-statoverride ] &&
+ override="$(dpkg-statoverride --list /usr/lib/ssh-keysign)"; then
+ override_user="${override%% *}"
+ override="${override#* }"
+ override_group="${override%% *}"
+ override="${override#* }"
+ override_mode="${override%% *}"
+ if dpkg-statoverride --update --add \
+ "$override_user" "$override_group" "$override_mode" \
+ /usr/lib/openssh/ssh-keysign; then
+ dpkg-statoverride --remove /usr/lib/ssh-keysign || true
+ fi
+ fi
+}
+
+fix_ssh_group() {
+ # Try to remove non-system group mistakenly created by 1:3.5p1-1.
+ # set_ssh_agent_permissions() below will re-create it properly.
+ if getent group ssh >/dev/null; then
+ delgroup --quiet ssh || true
+ fi
+}
+
+set_ssh_agent_permissions() {
+ if ! getent group ssh >/dev/null; then
+ addgroup --system --quiet ssh
+ fi
+ if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+ ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+ chgrp ssh /usr/bin/ssh-agent
+ chmod 2755 /usr/bin/ssh-agent
+ fi
+}
+
+
+fix_rsh_diversion
+create_alternatives
+set_ssh_permissions
+if [ "$2" = "1:3.5p1-1" ]; then
+ fix_ssh_group
+fi
+set_ssh_agent_permissions
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.postrm openssh-4.2p1/debian/openssh-client-sc.postrm
--- openssh-4.2p1/debian/openssh-client-sc.postrm 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.postrm 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+if [ "$1" = "purge" ]
+then
+ # Remove all non-conffiles that ssh might create, so that we can
+ # smoothly remove /etc/ssh if and only if the user hasn't dropped some
+ # other files in there. Conffiles have already been removed at this
+ # point.
+ rm -f /etc/ssh/moduli /etc/ssh/primes
+ rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+ rmdir --ignore-fail-on-non-empty /etc/ssh
+fi
+
+if [ "$1" = "purge" ] ; then
+ delgroup --quiet ssh > /dev/null || true
+fi
+
+exit 0
diff -rubN openssh-4.2p1/debian/openssh-client-sc.prerm openssh-4.2p1/debian/openssh-client-sc.prerm
--- openssh-4.2p1/debian/openssh-client-sc.prerm 1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.2p1/debian/openssh-client-sc.prerm 2006-03-04 13:59:44.000000000 +0100
@@ -0,0 +1,39 @@
+#! /bin/sh
+# prerm script for ssh
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+ remove|deconfigure)
+ update-alternatives --quiet --remove rsh /usr/bin/ssh
+ update-alternatives --quiet --remove rlogin /usr/bin/slogin
+ update-alternatives --quiet --remove rcp /usr/bin/scp
+ ;;
+ upgrade)
+ ;;
+ failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -rubN openssh-4.2p1/debian/rules openssh-4.2p1/debian/rules
--- openssh-4.2p1/debian/rules 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/debian/rules 2006-03-04 16:04:57.000000000 +0100
@@ -65,7 +65,7 @@
# Change the version string to include the Debian version
SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//')
-build: build-deb build-udeb
+build: build-deb build-sc-deb build-udeb
build-deb: build-deb-stamp
build-deb-stamp:
@@ -90,6 +90,23 @@
touch build-deb-stamp
+build-sc-deb: build-sc-deb-stamp
+build-sc-deb-stamp:
+ dh_testdir
+ mkdir -p build-sc-deb
+ cd build-sc-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit --with-kerberos5=/usr $(SELINUX) --with-opensc=/usr
+
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999).
+ perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-sc-deb/config.h
+endif
+ # Debian's /var/log/btmp has inappropriate permissions.
+ perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-sc-deb/config.h
+
+ $(MAKE) -C build-sc-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -std=gnu99 -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_EXTRAVERSION="\" $(SSH_EXTRAVERSION)\""'
+
+ touch build-sc-deb-stamp
+
build-udeb: build-udeb-stamp
build-udeb-stamp:
dh_testdir
@@ -105,8 +122,8 @@
clean:
dh_testdir
- rm -f build-deb-stamp build-udeb-stamp
- rm -rf build-deb build-udeb
+ rm -f build-deb-stamp build-sc-deb-stamp build-udeb-stamp
+ rm -rf build-deb build-sc-deb build-udeb
-$(MAKE) -C contrib clean
rm -f config.log
ifeq ($(PO2DEBCONF),yes)
@@ -136,10 +153,13 @@
dh_installdirs
$(MAKE) -C build-deb DESTDIR=`pwd`/debian/openssh-client install-nokeys
+ $(MAKE) -C build-sc-deb DESTDIR=`pwd`/debian/openssh-client-sc install-nokeys
rm -f debian/openssh-client/etc/ssh/sshd_config
+ rm -f debian/openssh-client-sc/etc/ssh/sshd_config
#Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
rm -f debian/openssh-client/usr/share/Ssh.bin
+ rm -f debian/openssh-client-sc/usr/share/Ssh.bin
# Split off the server.
mv debian/openssh-client/usr/sbin/sshd debian/openssh-server/usr/sbin/
@@ -148,10 +168,19 @@
mv debian/openssh-client/usr/share/man/man8/sshd.8 debian/openssh-server/usr/share/man/man8/
mv debian/openssh-client/usr/share/man/man8/sftp-server.8 debian/openssh-server/usr/share/man/man8/
rmdir debian/openssh-client/usr/sbin debian/openssh-client/var/run/sshd
+ rm -f debian/openssh-client-sc/usr/sbin/sshd
+ rm -f debian/openssh-client-sc/usr/lib/openssh/sftp-server
+ rm -f debian/openssh-client-sc/usr/share/man/man5/sshd_config.5
+ rm -f debian/openssh-client-sc/usr/share/man/man8/sshd.8
+ rm -f debian/openssh-client-sc/usr/share/man/man8/sftp-server.8
+ rmdir debian/openssh-client-sc/usr/sbin debian/openssh-client-sc/var/run/sshd
install -m 755 contrib/ssh-copy-id debian/openssh-client/usr/bin/ssh-copy-id
install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client/usr/share/man/man1/ssh-copy-id.1
install -m 644 debian/moduli.5 debian/openssh-client/usr/share/man/man5/moduli.5
+ install -m 755 contrib/ssh-copy-id debian/openssh-client-sc/usr/bin/ssh-copy-id
+ install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client-sc/usr/share/man/man1/ssh-copy-id.1
+ install -m 644 debian/moduli.5 debian/openssh-client-sc/usr/share/man/man5/moduli.5
if [ -f contrib/gnome-ssh-askpass2 ]; then \
install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass; \
@@ -163,6 +192,8 @@
install -m 755 debian/ssh-argv0 debian/openssh-client/usr/bin/ssh-argv0
install -m 644 debian/ssh-argv0.1 debian/openssh-client/usr/share/man/man1/ssh-argv0.1
+ install -m 755 debian/ssh-argv0 debian/openssh-client-sc/usr/bin/ssh-argv0
+ install -m 644 debian/ssh-argv0.1 debian/openssh-client-sc/usr/share/man/man1/ssh-argv0.1
install -o root -g root debian/openssh-server.init debian/openssh-server/etc/init.d/ssh
install -o root -g root -m 644 debian/openssh-server.default debian/openssh-server/etc/default/ssh
@@ -177,7 +208,7 @@
binary-indep: binary-ssh
# Build architecture-dependent files here.
-binary-arch: binary-openssh-client binary-openssh-server
+binary-arch: binary-openssh-client binary-openssh-client-sc binary-openssh-server
binary-arch: binary-ssh-askpass-gnome
binary-arch: binary-openssh-client-udeb binary-openssh-server-udeb
@@ -202,6 +233,28 @@
dh_md5sums
dh_builddeb
+binary-openssh-client-sc: DH_OPTIONS=-popenssh-client-sc
+binary-openssh-client-sc: build install
+ dh_testdir
+ dh_testroot
+ dh_installdebconf
+ dh_installdocs OVERVIEW README README.dns
+ cat debian/copyright.head LICENCE > debian/openssh-client-sc/usr/share/doc/openssh-client-sc/copyright
+ dh_installchangelogs ChangeLog
+ install -m644 debian/openssh-client.lintian debian/openssh-client-sc/usr/share/lintian/overrides/openssh-client-sc
+ mv debian/openssh-client-sc/usr/share/doc/openssh-client-sc debian/openssh-client-sc/usr/share/doc/openssh-client
+ dh_strip
+ dh_compress
+ dh_fixperms
+ chmod u+s debian/openssh-client-sc/usr/lib/openssh/ssh-keysign
+ dh_installdeb
+ test ! -e debian/ssh/etc/ssh/ssh_prng_cmds \
+ || echo "/etc/ssh/ssh_prng_cmds" >> debian/openssh-client-sc/DEBIAN/conffiles
+ dh_shlibdeps
+ dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER)) | debconf-2.0'
+ dh_md5sums
+ dh_builddeb
+
binary-openssh-server: DH_OPTIONS=-popenssh-server
binary-openssh-server: build install
dh_testdir
diff -rubN openssh-4.2p1/scard.c openssh-4.2p1/scard.c
--- openssh-4.2p1/scard.c 2004-05-13 08:15:48.000000000 +0200
+++ openssh-4.2p1/scard.c 2006-03-04 15:51:30.000000000 +0100
@@ -35,6 +35,9 @@
#include "misc.h"
#include "scard.h"
+/* currently unused */
+int ask_for_pin = 0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
diff -rubN openssh-4.2p1/scard.h openssh-4.2p1/scard.h
--- openssh-4.2p1/scard.h 2003-06-18 12:28:40.000000000 +0200
+++ openssh-4.2p1/scard.h 2006-03-04 15:51:30.000000000 +0100
@@ -33,6 +33,8 @@
#define SCARD_ERROR_NOCARD -2
#define SCARD_ERROR_APPLET -3
+extern int ask_for_pin;
+
Key **sc_get_keys(const char *, const char *);
void sc_close(void);
int sc_put_key(Key *, const char *);
diff -rubN openssh-4.2p1/scard-opensc.c openssh-4.2p1/scard-opensc.c
--- openssh-4.2p1/scard-opensc.c 2004-05-13 09:29:35.000000000 +0200
+++ openssh-4.2p1/scard-opensc.c 2006-03-04 15:51:30.000000000 +0100
@@ -38,6 +38,8 @@
#include "misc.h"
#include "scard.h"
+int ask_for_pin=0;
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
#define USE_ENGINE
#define RSA_get_default_method RSA_get_default_openssl_method
@@ -119,6 +121,7 @@
struct sc_pkcs15_prkey_info *key;
struct sc_pkcs15_object *pin_obj;
struct sc_pkcs15_pin_info *pin;
+ char *passphrase = NULL;
priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
if (priv == NULL)
@@ -156,24 +159,47 @@
goto err;
}
pin = pin_obj->data;
+
+ if (sc_pin)
+ passphrase = sc_pin;
+ else if (ask_for_pin) {
+ /* we need a pin but don't have one => ask for the pin */
+ char prompt[64];
+
+ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
+ key_obj->label ? key_obj->label : "smartcard key");
+ passphrase = read_passphrase(prompt, 0);
+ if (!passphrase || !strcmp(passphrase, ""))
+ goto err;
+ } else
+ /* no pin => error */
+ goto err;
+
r = sc_lock(card);
if (r) {
error("Unable to lock smartcard: %s", sc_strerror(r));
goto err;
}
- if (sc_pin != NULL) {
- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
- strlen(sc_pin));
+ r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
+ strlen(passphrase));
if (r) {
sc_unlock(card);
error("PIN code verification failed: %s",
sc_strerror(r));
goto err;
}
- }
+
*key_obj_out = key_obj;
+ if (!sc_pin) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
return 0;
err:
+ if (!sc_pin && passphrase) {
+ memset(passphrase, 0, strlen(passphrase));
+ xfree(passphrase);
+ }
sc_close();
return -1;
}
diff -rubN openssh-4.2p1/ssh.c openssh-4.2p1/ssh.c
--- openssh-4.2p1/ssh.c 2006-03-04 17:17:18.000000000 +0100
+++ openssh-4.2p1/ssh.c 2006-03-04 15:51:30.000000000 +0100
@@ -1144,6 +1144,9 @@
#ifdef SMARTCARD
Key **keys;
+ if (!options.batch_mode)
+ ask_for_pin = 1;
+
if (options.smartcard_device != NULL &&
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:5.4p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_5.4p1-1_i386.udeb
to main/o/openssh/openssh-client-udeb_5.4p1-1_i386.udeb
openssh-client_5.4p1-1_i386.deb
to main/o/openssh/openssh-client_5.4p1-1_i386.deb
openssh-server-udeb_5.4p1-1_i386.udeb
to main/o/openssh/openssh-server-udeb_5.4p1-1_i386.udeb
openssh-server_5.4p1-1_i386.deb
to main/o/openssh/openssh-server_5.4p1-1_i386.deb
openssh_5.4p1-1.debian.tar.gz
to main/o/openssh/openssh_5.4p1-1.debian.tar.gz
openssh_5.4p1-1.dsc
to main/o/openssh/openssh_5.4p1-1.dsc
openssh_5.4p1.orig.tar.gz
to main/o/openssh/openssh_5.4p1.orig.tar.gz
ssh-askpass-gnome_5.4p1-1_i386.deb
to main/o/openssh/ssh-askpass-gnome_5.4p1-1_i386.deb
ssh-krb5_5.4p1-1_all.deb
to main/o/openssh/ssh-krb5_5.4p1-1_all.deb
ssh_5.4p1-1_all.deb
to main/o/openssh/ssh_5.4p1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 231472@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 06 Apr 2010 22:38:31 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.4p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 231472 270399 280609 360151 428082 431538 482806 496843 531561 555625 575725
Changes:
openssh (1:5.4p1-1) unstable; urgency=low
.
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
.
* Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
patches apply with offsets.
* Include debian/ssh-askpass-gnome.png in the Debian tarball now that
we're using a source format that permits this, rather than messing
around with uudecode.
* Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
mechanism was removed due to a serious security hole, and since these
versions of ssh-krb5 are no longer security-supported by Debian I don't
think there's any point keeping client compatibility for them.
* Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.
* Hardcode the location of xauth to /usr/bin/xauth rather than
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440).
xauth no longer depends on x11-common, so we're no longer guaranteed to
have the /usr/bin/X11 symlink available. I was taking advantage of the
/usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far
enough in the past now that it's probably safe to just use /usr/bin.
* Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes
itself non-OOM-killable, and doesn't require configuration to avoid log
spam in virtualisation containers (closes: #555625).
* Drop Debian-specific removal of OpenSSL version check. Upstream ignores
the two patchlevel nybbles now, which is sufficient to address the
original reason this change was introduced, and it appears that any
change in the major/minor/fix nybbles would involve a new libssl package
name. (We'd still lose if the status nybble were ever changed, but that
would mean somebody had packaged a development/beta version rather than
a proper release, which doesn't appear to be normal practice.)
* Drop most of our "LogLevel SILENT" (-qq) patch. This was originally
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
* Policy version 3.8.4:
- Add a Homepage field.
Checksums-Sha1:
6ee9e148ad9cf2a41c9739e7965d4c0a718668ae 1694 openssh_5.4p1-1.dsc
2a3042372f08afb1415ceaec8178213276a36302 1094604 openssh_5.4p1.orig.tar.gz
7379e94c120ed0d3f17eac6aabe32f840a487b8f 233154 openssh_5.4p1-1.debian.tar.gz
43273fef00b41b1922fcf16f1a923a2d9c0bd56c 1240 ssh_5.4p1-1_all.deb
864e5c7c5efd1dc734d8759e68c8ad0b4ed93fed 93012 ssh-krb5_5.4p1-1_all.deb
ad9b4a4f0bd27e04a43e9ff82750572457613950 875794 openssh-client_5.4p1-1_i386.deb
a8969c78a0095b2640d6357340ee1b4e9b3621d2 297168 openssh-server_5.4p1-1_i386.deb
df0666a31c0ea53070eee66ed16b8fef666b0564 100386 ssh-askpass-gnome_5.4p1-1_i386.deb
801090e864540ee1342f7016ab9b643b43338075 193232 openssh-client-udeb_5.4p1-1_i386.udeb
1f4c2cf71da9c384b6e48c01d0c72d8e5a6349d6 218024 openssh-server-udeb_5.4p1-1_i386.udeb
Checksums-Sha256:
b58014a46751c6876cf2abac8c1b4ff7691fe0787ffe3a2fdb094990c3741b77 1694 openssh_5.4p1-1.dsc
ae96e70d04104824ab10f0d7aaef4584ac96b2a870adfcd8b457d836c8c5404e 1094604 openssh_5.4p1.orig.tar.gz
6971cbdcb59cea5dda29fe5c31939c3415f50635897d74a82dd8a47954398064 233154 openssh_5.4p1-1.debian.tar.gz
705fca4ded8f01f979f5d2d67307f77fa9249378cc648b1b1e9f5de3bd5d4ac8 1240 ssh_5.4p1-1_all.deb
4ad7484b82c45881c756a5f526660942cd48fc0ee945448980c4aa836ec6e562 93012 ssh-krb5_5.4p1-1_all.deb
94b0cfcb92f58d30147022d86a277200bd700a80877c917fae67d4c33ebf5051 875794 openssh-client_5.4p1-1_i386.deb
8108aecb229def39e38ccdcd68940ca7511177d7c04513bcd152755aa493c9bb 297168 openssh-server_5.4p1-1_i386.deb
926472da43dee63355e2478a04c426b5a6af4a0f1d300f13c6825a9105c0f703 100386 ssh-askpass-gnome_5.4p1-1_i386.deb
5f3d90b896c39976432e4a1a003578945f044faa786dff13eb6f6769552e829b 193232 openssh-client-udeb_5.4p1-1_i386.udeb
e85187674d0b3b7e42780d10b9f163d297e372269cac1d7ab9f593dc4d38ef2f 218024 openssh-server-udeb_5.4p1-1_i386.udeb
Files:
632afff272e44d3ed316e78566dfc746 1694 net standard openssh_5.4p1-1.dsc
da10af8a789fa2e83e3635f3a1b76f5e 1094604 net standard openssh_5.4p1.orig.tar.gz
b7f81be1721ff7a9701069198b02dba5 233154 net standard openssh_5.4p1-1.debian.tar.gz
3b7776f10b9fd2ef5911db5ebd48ae5a 1240 net extra ssh_5.4p1-1_all.deb
2f9e0b2b11912749e1dde01f38d1a1f1 93012 net extra ssh-krb5_5.4p1-1_all.deb
984ad564b3c6fa2d73036ab50b68353f 875794 net standard openssh-client_5.4p1-1_i386.deb
9394971388afc25b31500d435ae8af65 297168 net optional openssh-server_5.4p1-1_i386.deb
e5abea75351c1737d6f4f61bd23983b8 100386 gnome optional ssh-askpass-gnome_5.4p1-1_i386.deb
04e5101bcc8b4d02904efb8bbc169b9c 193232 debian-installer optional openssh-client-udeb_5.4p1-1_i386.udeb
2debab4885b293f2777b2ee36cbcbeaa 218024 debian-installer optional openssh-server-udeb_5.4p1-1_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFLu6sC9t0zAhD6TNERAi7BAJ9CuOPsPweVIdZWYeW46XtLsSEe2wCfSvfN
l+75IGaMwDbORvZOAryllMQ=
=88S0
-----END PGP SIGNATURE-----
--- End Message ---