- markus@cvs.openbsd.org 2001/04/09 15:12:23

     [ssh-add.c]
     passphrase caching: ssh-add tries last passphrase, clears passphrase if
     not successful and after last try.
     based on discussions with espie@, jakob@, ... and code from jakob@ and
     wolfgang@wsrcc.com

2 files changed, 28 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index ff1cf8c79..51c38fd5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,12 @@
    - stevesk@cvs.openbsd.org 2001/04/09 00:42:05
      [sftp.1]
      spelling
+   - markus@cvs.openbsd.org 2001/04/09 15:12:23
+     [ssh-add.c]
+     passphrase caching: ssh-add tries last passphrase, clears passphrase if
+     not successful and after last try.
+     based on discussions with espie@, jakob@, ... and code from jakob@ and
+     wolfgang@wsrcc.com
 
 20010409
  - (stevesk) use setresgid() for setegid() if needed
@@ -4978,4 +4984,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1090 2001/04/10 02:43:57 mouring Exp $
+$Id: ChangeLog,v 1.1091 2001/04/10 02:45:32 mouring Exp $
diff --git a/ssh-add.c b/ssh-add.c
index eaa773816..f887455bf 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.32 2001/04/08 13:03:00 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.33 2001/04/09 15:12:23 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -55,6 +55,18 @@ extern char *__progname;
 char *__progname;
 #endif
 
+/* we keep a cache of one passphrases */
+static char *pass = NULL;
+void
+clear_pass(void)
+{
+        if (pass) {
+                memset(pass, 0, strlen(pass));
+                xfree(pass);
+                pass = NULL;
+        }
+}
+
 void
 delete_file(AuthenticationConnection *ac, const char *filename)
 {
@@ -136,7 +148,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
 {
         struct stat st;
         Key *private;
-        char *comment = NULL, *askpass = NULL, *pass;
+        char *comment = NULL, *askpass = NULL;
         char buf[1024], msg[1024];
         int interactive = isatty(STDIN_FILENO);
 
@@ -155,7 +167,12 @@ add_file(AuthenticationConnection *ac, const char *filename)
         private = key_load_private(filename, "", &comment);
         if (comment == NULL)
                 comment = xstrdup(filename);
+        /* try last */
+        if (private == NULL && pass != NULL)
+                private = key_load_private(filename, pass, NULL);
         if (private == NULL) {
+                /* clear passphrase since it did not work */
+                clear_pass();
                 printf("Need passphrase for %.200s\n", filename);
                 if (!interactive && askpass == NULL) {
                         xfree(comment);
@@ -175,10 +192,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
                                 return;
                         }
                         private = key_load_private(filename, pass, &comment);
-                        memset(pass, 0, strlen(pass));
-                        xfree(pass);
                         if (private != NULL)
                                 break;
+                        clear_pass();
                         strlcpy(msg, "Bad passphrase, try again", sizeof msg);
                 }
         }
@@ -280,6 +296,7 @@ main(int argc, char **argv)
                 else
                         add_file(ac, buf);
         }
+        clear_pass();
         ssh_close_authentication_connection(ac);
         exit(0);
 }