Bug#500445: openssh-client: compile with --with-opensc

Christoph Goehre Sun, 28 Sep 2008 04:29:07 -0700

Package: openssh-client
Version: 1:5.1p1-2
Severity: wishlist
Tags: patch

Hi,


might you please enable opensc-support in openssh? My first patch enable
this via debian/rules and add build depends to libopensc2-dev.
The second patch allow to type the token pin if using 'ssh -I'. ssh-add
in combination with ssh-agent works without the second patch.

Greetings,
Christoph

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-rc7-00094-gc0f4d6d (SMP w/2 CPU cores; PREEMPT)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.22             Debian configuration management sy
ii  dpkg                  1.14.22            Debian package management system
ii  libc6                 2.7-13             GNU C Library: Shared libraries
ii  libcomerr2            1.41.0-3           common error description library
ii  libedit2              2.11~20080614-1    BSD editline and history libraries
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libncurses5           5.6+20080830-1     shared libraries for terminal hand
ii  libopensc2            0.11.4-5           SmartCard library with support for
ii  libssl0.9.8           0.9.8g-13          SSL shared libraries
ii  passwd                1:4.1.1-5          change and administer password and
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted OpenSS
pn  openssh-blacklist-extra       <none>     (no description available)
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-client suggests:
pn  keychain                      <none>     (no description available)
pn  libpam-ssh                    <none>     (no description available)
ii  ssh-askpass-gnome [ssh-askpas 1:5.1p1-2  interactive X program to prompt us

-- no debconf information

From 6c743d8da70d04d7c044c781e16c2bf0c353c273 Mon Sep 17 00:00:00 2001
From: Christoph Goehre <[EMAIL PROTECTED]>
Date: Sat, 27 Sep 2008 19:07:34 +0200
Subject: [PATCH] build with-opensc

---
 debian/control |    2 +-
 debian/rules   |    1 +
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/debian/control b/debian/control
index 27b27e7..c037d1b 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: openssh
 Section: net
 Priority: standard
 Maintainer: Debian OpenSSH Maintainers <[EMAIL PROTECTED]>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev | heimdal-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev | heimdal-dev, libopensc2-dev
 Standards-Version: 3.7.3
 Uploaders: Colin Watson <[EMAIL PROTECTED]>, Matthew Vernon <[EMAIL PROTECTED]>
 
diff --git a/debian/rules b/debian/rules
index fb3f3a1..b0b06ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -84,6 +84,7 @@ confflags += --with-ssl-engine
 ifeq ($(DEB_HOST_ARCH_OS),linux)
 confflags += --with-selinux
 endif
+confflags += --with-opensc
 
 # The deb build wants xauth; the udeb build doesn't.
 confflags += --with-xauth=/usr/bin/X11/xauth
-- 
1.5.6.5

From b576575b2a4887378bede9b0064f9c1126c06c36 Mon Sep 17 00:00:00 2001
From: Christoph Goehre <[EMAIL PROTECTED]>
Date: Sat, 27 Sep 2008 19:30:21 +0200
Subject: [PATCH] apply smartcard-ask-for-passphrase-patch

from OpenSSH Bugzilla (Bug 608)
https://bugzilla.mindrot.org/show_bug.cgi?id=608
---
 scard-opensc.c |   44 +++++++++++++++++++++++++++++++++++---------
 scard.c        |    3 +++
 scard.h        |    2 ++
 ssh.c          |    3 +++
 4 files changed, 43 insertions(+), 9 deletions(-)

diff --git a/scard-opensc.c b/scard-opensc.c
index 36dae05..042544a 100644
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -43,6 +43,8 @@
 #include "misc.h"
 #include "scard.h"
 
+int ask_for_pin=0;
+
 #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
 #define USE_ENGINE
 #define RSA_get_default_method RSA_get_default_openssl_method
@@ -124,6 +126,7 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
 	struct sc_pkcs15_prkey_info *key;
 	struct sc_pkcs15_object *pin_obj;
 	struct sc_pkcs15_pin_info *pin;
+	char *passphrase = NULL;
 
 	priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
 	if (priv == NULL)
@@ -161,24 +164,47 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
 		goto err;
 	}
 	pin = pin_obj->data;
+
+	if (sc_pin)
+		passphrase = sc_pin;
+	else if (ask_for_pin) {
+		/* we need a pin but don't have one => ask for the pin */
+		char prompt[64];
+
+		snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
+			key_obj->label ? key_obj->label : "smartcard key");
+		passphrase = read_passphrase(prompt, 0);
+		if (!passphrase || !strcmp(passphrase, ""))
+			goto err;
+	} else 
+		/* no pin => error */
+		goto err;
+
 	r = sc_lock(card);
 	if (r) {
 		error("Unable to lock smartcard: %s", sc_strerror(r));
 		goto err;
 	}
-	if (sc_pin != NULL) {
-		r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
-					 strlen(sc_pin));
-		if (r) {
-			sc_unlock(card);
-			error("PIN code verification failed: %s",
-			      sc_strerror(r));
-			goto err;
-		}
+	r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
+				 strlen(passphrase));
+	if (r) {
+		sc_unlock(card);
+		error("PIN code verification failed: %s",
+		      sc_strerror(r));
+		goto err;
 	}
+
 	*key_obj_out = key_obj;
+	if (!sc_pin) {
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
 	return 0;
 err:
+	if (!sc_pin && passphrase) {
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
 	sc_close();
 	return -1;
 }
diff --git a/scard.c b/scard.c
index 9fd3ca1..e2d2812 100644
--- a/scard.c
+++ b/scard.c
@@ -40,6 +40,9 @@
 #include "misc.h"
 #include "scard.h"
 
+/* currently unused */
+int ask_for_pin = 0;
+
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
 #define USE_ENGINE
 #define RSA_get_default_method RSA_get_default_openssl_method
diff --git a/scard.h b/scard.h
index 82efe48..fe8d659 100644
--- a/scard.h
+++ b/scard.h
@@ -31,6 +31,8 @@
 #define SCARD_ERROR_NOCARD	-2
 #define SCARD_ERROR_APPLET	-3
 
+extern int ask_for_pin;
+
 Key	**sc_get_keys(const char *, const char *);
 void	 sc_close(void);
 int	 sc_put_key(Key *, const char *);
diff --git a/ssh.c b/ssh.c
index e2e2ef4..23e8451 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1243,6 +1243,9 @@ load_public_identity_files(void)
 #ifdef SMARTCARD
 	Key **keys;
 
+	if (!options.batch_mode)
+		ask_for_pin = 1;
+
 	if (options.smartcard_device != NULL &&
 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
 	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
-- 
1.5.6.5

signature.asc
Description: Digital signature

Bug#500445: openssh-client: compile with --with-opensc

Reply via email to