diff options
| author | Damien Miller <djm@mindrot.org> | 2003-06-11 22:06:33 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-06-11 22:06:33 +1000 |
| commit | d94f20d28e9e966576302cd951776401c2856df6 (patch) | |
| tree | 028352e13c131c8500f0826088cc3c4bb3a3c00a | |
| parent | 0e1b937f1362866765c09c11d3f4066f108ff910 (diff) | |
- djm@cvs.openbsd.org 2003/06/11 11:18:38
[authfd.c authfd.h ssh-add.c ssh-agent.c]
make agent constraints (lifetime, confirm) work with smartcard keys;
ok markus@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | authfd.c | 27 | ||||
| -rw-r--r-- | authfd.h | 6 | ||||
| -rw-r--r-- | ssh-add.c | 4 | ||||
| -rw-r--r-- | ssh-agent.c | 25 |
5 files changed, 54 insertions, 14 deletions
| @@ -18,6 +18,10 @@ | |||
| 18 | - jakob@cvs.openbsd.org 2003/06/11 10:18:47 | 18 | - jakob@cvs.openbsd.org 2003/06/11 10:18:47 |
| 19 | [dns.c] | 19 | [dns.c] |
| 20 | sync with check_host_key() change | 20 | sync with check_host_key() change |
| 21 | - djm@cvs.openbsd.org 2003/06/11 11:18:38 | ||
| 22 | [authfd.c authfd.h ssh-add.c ssh-agent.c] | ||
| 23 | make agent constraints (lifetime, confirm) work with smartcard keys; | ||
| 24 | ok markus@ | ||
| 21 | 25 | ||
| 22 | 26 | ||
| 23 | 20030609 | 27 | 20030609 |
| @@ -502,4 +506,4 @@ | |||
| 502 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 506 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 503 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 507 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 504 | 508 | ||
| 505 | $Id: ChangeLog,v 1.2796 2003/06/11 12:05:45 djm Exp $ | 509 | $Id: ChangeLog,v 1.2797 2003/06/11 12:06:33 djm Exp $ |
| @@ -35,7 +35,7 @@ | |||
| 35 | */ | 35 | */ |
| 36 | 36 | ||
| 37 | #include "includes.h" | 37 | #include "includes.h" |
| 38 | RCSID("$OpenBSD: authfd.c,v 1.59 2003/04/08 20:21:28 itojun Exp $"); | 38 | RCSID("$OpenBSD: authfd.c,v 1.60 2003/06/11 11:18:38 djm Exp $"); |
| 39 | 39 | ||
| 40 | #include <openssl/evp.h> | 40 | #include <openssl/evp.h> |
| 41 | 41 | ||
| @@ -589,16 +589,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) | |||
| 589 | } | 589 | } |
| 590 | 590 | ||
| 591 | int | 591 | int |
| 592 | ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) | 592 | ssh_update_card(AuthenticationConnection *auth, int add, |
| 593 | const char *reader_id, const char *pin, u_int life, u_int confirm) | ||
| 593 | { | 594 | { |
| 594 | Buffer msg; | 595 | Buffer msg; |
| 595 | int type; | 596 | int type, constrained = (life || confirm); |
| 597 | |||
| 598 | if (add) { | ||
| 599 | type = constrained ? | ||
| 600 | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED : | ||
| 601 | SSH_AGENTC_ADD_SMARTCARD_KEY; | ||
| 602 | } else | ||
| 603 | type = SSH_AGENTC_REMOVE_SMARTCARD_KEY; | ||
| 596 | 604 | ||
| 597 | buffer_init(&msg); | 605 | buffer_init(&msg); |
| 598 | buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY : | 606 | buffer_put_char(&msg, type); |
| 599 | SSH_AGENTC_REMOVE_SMARTCARD_KEY); | ||
| 600 | buffer_put_cstring(&msg, reader_id); | 607 | buffer_put_cstring(&msg, reader_id); |
| 601 | buffer_put_cstring(&msg, pin); | 608 | buffer_put_cstring(&msg, pin); |
| 609 | |||
| 610 | if (constrained) { | ||
| 611 | if (life != 0) { | ||
| 612 | buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); | ||
| 613 | buffer_put_int(&msg, life); | ||
| 614 | } | ||
| 615 | if (confirm != 0) | ||
| 616 | buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); | ||
| 617 | } | ||
| 618 | |||
| 602 | if (ssh_request_reply(auth, &msg, &msg) == 0) { | 619 | if (ssh_request_reply(auth, &msg, &msg) == 0) { |
| 603 | buffer_free(&msg); | 620 | buffer_free(&msg); |
| 604 | return 0; | 621 | return 0; |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $ */ | 1 | /* $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -49,6 +49,7 @@ | |||
| 49 | /* add key with constraints */ | 49 | /* add key with constraints */ |
| 50 | #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 | 50 | #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 |
| 51 | #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 | 51 | #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 |
| 52 | #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 | ||
| 52 | 53 | ||
| 53 | #define SSH_AGENT_CONSTRAIN_LIFETIME 1 | 54 | #define SSH_AGENT_CONSTRAIN_LIFETIME 1 |
| 54 | #define SSH_AGENT_CONSTRAIN_CONFIRM 2 | 55 | #define SSH_AGENT_CONSTRAIN_CONFIRM 2 |
| @@ -82,7 +83,8 @@ int ssh_add_identity_constrained(AuthenticationConnection *, Key *, | |||
| 82 | int ssh_remove_identity(AuthenticationConnection *, Key *); | 83 | int ssh_remove_identity(AuthenticationConnection *, Key *); |
| 83 | int ssh_remove_all_identities(AuthenticationConnection *, int); | 84 | int ssh_remove_all_identities(AuthenticationConnection *, int); |
| 84 | int ssh_lock_agent(AuthenticationConnection *, int, const char *); | 85 | int ssh_lock_agent(AuthenticationConnection *, int, const char *); |
| 85 | int ssh_update_card(AuthenticationConnection *, int, const char *, const char *); | 86 | int ssh_update_card(AuthenticationConnection *, int, const char *, |
| 87 | const char *, u_int, u_int); | ||
| 86 | 88 | ||
| 87 | int | 89 | int |
| 88 | ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], | 90 | ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], |
| @@ -35,7 +35,7 @@ | |||
| 35 | */ | 35 | */ |
| 36 | 36 | ||
| 37 | #include "includes.h" | 37 | #include "includes.h" |
| 38 | RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $"); | 38 | RCSID("$OpenBSD: ssh-add.c,v 1.67 2003/06/11 11:18:38 djm Exp $"); |
| 39 | 39 | ||
| 40 | #include <openssl/evp.h> | 40 | #include <openssl/evp.h> |
| 41 | 41 | ||
| @@ -201,7 +201,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) | |||
| 201 | if (pin == NULL) | 201 | if (pin == NULL) |
| 202 | return -1; | 202 | return -1; |
| 203 | 203 | ||
| 204 | if (ssh_update_card(ac, add, id, pin)) { | 204 | if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) { |
| 205 | fprintf(stderr, "Card %s: %s\n", | 205 | fprintf(stderr, "Card %s: %s\n", |
| 206 | add ? "added" : "removed", id); | 206 | add ? "added" : "removed", id); |
| 207 | ret = 0; | 207 | ret = 0; |
diff --git a/ssh-agent.c b/ssh-agent.c index fbd41834e..61ea34580 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -35,7 +35,7 @@ | |||
| 35 | 35 | ||
| 36 | #include "includes.h" | 36 | #include "includes.h" |
| 37 | #include "openbsd-compat/sys-queue.h" | 37 | #include "openbsd-compat/sys-queue.h" |
| 38 | RCSID("$OpenBSD: ssh-agent.c,v 1.109 2003/04/08 20:21:29 itojun Exp $"); | 38 | RCSID("$OpenBSD: ssh-agent.c,v 1.110 2003/06/11 11:18:38 djm Exp $"); |
| 39 | 39 | ||
| 40 | #include <openssl/evp.h> | 40 | #include <openssl/evp.h> |
| 41 | #include <openssl/md5.h> | 41 | #include <openssl/md5.h> |
| @@ -580,13 +580,29 @@ static void | |||
| 580 | process_add_smartcard_key (SocketEntry *e) | 580 | process_add_smartcard_key (SocketEntry *e) |
| 581 | { | 581 | { |
| 582 | char *sc_reader_id = NULL, *pin; | 582 | char *sc_reader_id = NULL, *pin; |
| 583 | int i, version, success = 0; | 583 | int i, version, success = 0, death = 0, confirm = 0; |
| 584 | Key **keys, *k; | 584 | Key **keys, *k; |
| 585 | Identity *id; | 585 | Identity *id; |
| 586 | Idtab *tab; | 586 | Idtab *tab; |
| 587 | 587 | ||
| 588 | sc_reader_id = buffer_get_string(&e->request, NULL); | 588 | sc_reader_id = buffer_get_string(&e->request, NULL); |
| 589 | pin = buffer_get_string(&e->request, NULL); | 589 | pin = buffer_get_string(&e->request, NULL); |
| 590 | |||
| 591 | while (buffer_len(&e->request)) { | ||
| 592 | switch (buffer_get_char(&e->request)) { | ||
| 593 | case SSH_AGENT_CONSTRAIN_LIFETIME: | ||
| 594 | death = time(NULL) + buffer_get_int(&e->request); | ||
| 595 | break; | ||
| 596 | case SSH_AGENT_CONSTRAIN_CONFIRM: | ||
| 597 | confirm = 1; | ||
| 598 | break; | ||
| 599 | default: | ||
| 600 | break; | ||
| 601 | } | ||
| 602 | } | ||
| 603 | if (lifetime && !death) | ||
| 604 | death = time(NULL) + lifetime; | ||
| 605 | |||
| 590 | keys = sc_get_keys(sc_reader_id, pin); | 606 | keys = sc_get_keys(sc_reader_id, pin); |
| 591 | xfree(sc_reader_id); | 607 | xfree(sc_reader_id); |
| 592 | xfree(pin); | 608 | xfree(pin); |
| @@ -603,8 +619,8 @@ process_add_smartcard_key (SocketEntry *e) | |||
| 603 | id = xmalloc(sizeof(Identity)); | 619 | id = xmalloc(sizeof(Identity)); |
| 604 | id->key = k; | 620 | id->key = k; |
| 605 | id->comment = xstrdup("smartcard key"); | 621 | id->comment = xstrdup("smartcard key"); |
| 606 | id->death = 0; | 622 | id->death = death; |
| 607 | id->confirm = 0; | 623 | id->confirm = confirm; |
| 608 | TAILQ_INSERT_TAIL(&tab->idlist, id, next); | 624 | TAILQ_INSERT_TAIL(&tab->idlist, id, next); |
| 609 | tab->nentries++; | 625 | tab->nentries++; |
| 610 | success = 1; | 626 | success = 1; |
| @@ -748,6 +764,7 @@ process_message(SocketEntry *e) | |||
| 748 | break; | 764 | break; |
| 749 | #ifdef SMARTCARD | 765 | #ifdef SMARTCARD |
| 750 | case SSH_AGENTC_ADD_SMARTCARD_KEY: | 766 | case SSH_AGENTC_ADD_SMARTCARD_KEY: |
| 767 | case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED: | ||
| 751 | process_add_smartcard_key(e); | 768 | process_add_smartcard_key(e); |
| 752 | break; | 769 | break; |
| 753 | case SSH_AGENTC_REMOVE_SMARTCARD_KEY: | 770 | case SSH_AGENTC_REMOVE_SMARTCARD_KEY: |