diff options
| author | Damien Miller <djm@mindrot.org> | 2002-04-23 22:48:46 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2002-04-23 22:48:46 +1000 |
| commit | f6195f2be82cae07660db8f7c3039567f37ffa74 (patch) | |
| tree | 5acf61fca1ea4bc07f5aa180feb78a0724305116 | |
| parent | 654a4ef9699c7e396626abd23d725e8534f953c1 (diff) | |
- (djm) Applied OpenSC smartcard updates from Markus &
Antti Tapaninen <aet@cc.hut.fi>
| -rw-r--r-- | README.smartcard | 60 | ||||
| -rw-r--r-- | configure.ac | 45 | ||||
| -rw-r--r-- | scard-opensc.c | 2 |
3 files changed, 52 insertions, 55 deletions
diff --git a/README.smartcard b/README.smartcard index 3017452c4..29bec8dc6 100644 --- a/README.smartcard +++ b/README.smartcard | |||
| @@ -1,31 +1,23 @@ | |||
| 1 | How to use smartcards with OpenSSH? | 1 | How to use smartcards with OpenSSH? |
| 2 | 2 | ||
| 3 | OpenSSH contains experimental support for authentication using | 3 | OpenSSH contains experimental support for authentication using Cyberflex |
| 4 | Cyberflex smartcards and TODOS card readers, in addition to the cards with | 4 | smartcards and TODOS card readers, in addition to the cards with PKCS#15 |
| 5 | PKCS #15 structure supported by OpenSC. | 5 | structure supported by OpenSC. |
| 6 | 6 | ||
| 7 | WARNING: Smartcard support is still in development. Keyfile formats, etc | 7 | WARNING: Smartcard support is still in development. |
| 8 | are still subject to change. | 8 | Keyfile formats, etc are still subject to change. |
| 9 | 9 | ||
| 10 | To enable this you need to: | 10 | To enable sectok support: |
| 11 | 11 | ||
| 12 | (1) install sectok or OpenSC | 12 | (1) install sectok: |
| 13 | 13 | ||
| 14 | Sources are instructions are available from | 14 | Sources and instructions are available from |
| 15 | http://www.citi.umich.edu/projects/smartcard/sectok.html | 15 | http://www.citi.umich.edu/projects/smartcard/sectok.html |
| 16 | 16 | ||
| 17 | or | 17 | (2) enable sectok support in OpenSSH: |
| 18 | |||
| 19 | http://www.opensc.org/ | ||
| 20 | |||
| 21 | (2) enable SMARTCARD support in OpenSSH: | ||
| 22 | 18 | ||
| 23 | $ ./configure --with-sectok[=/path/to/libsectok] [options] | 19 | $ ./configure --with-sectok[=/path/to/libsectok] [options] |
| 24 | 20 | ||
| 25 | or | ||
| 26 | |||
| 27 | $ ./configure --with-opensc[=/path/to/opensc] [options] | ||
| 28 | |||
| 29 | (3) load the Java Cardlet to the Cyberflex card: | 21 | (3) load the Java Cardlet to the Cyberflex card: |
| 30 | 22 | ||
| 31 | $ sectok | 23 | $ sectok |
| @@ -35,12 +27,11 @@ To enable this you need to: | |||
| 35 | 27 | ||
| 36 | (4) load a RSA key to the card: | 28 | (4) load a RSA key to the card: |
| 37 | 29 | ||
| 38 | please don't use your production RSA keys, since | 30 | Please don't use your production RSA keys, since |
| 39 | with the current version of sectok/ssh-keygen | 31 | with the current version of sectok/ssh-keygen |
| 40 | the private key file is still readable | 32 | the private key file is still readable. |
| 41 | 33 | ||
| 42 | $ ssh-keygen -f /path/to/rsakey -U 1 | 34 | $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> |
| 43 | (where 1 is the reader number, you can also try 0) | ||
| 44 | 35 | ||
| 45 | In spite of the name, this does not generate a key. | 36 | In spite of the name, this does not generate a key. |
| 46 | It just loads an already existing key on to the card. | 37 | It just loads an already existing key on to the card. |
| @@ -65,13 +56,30 @@ To enable this you need to: | |||
| 65 | wrong passphrase three times in a row, you will | 56 | wrong passphrase three times in a row, you will |
| 66 | destroy your card. | 57 | destroy your card. |
| 67 | 58 | ||
| 68 | (6) tell the ssh client to use the card reader: | 59 | To enable OpenSC support: |
| 60 | |||
| 61 | (1) install OpenSC: | ||
| 62 | |||
| 63 | Sources and instructions are available from | ||
| 64 | http://www.opensc.org/ | ||
| 65 | |||
| 66 | (2) enable OpenSC support in OpenSSH: | ||
| 67 | |||
| 68 | $ ./configure --with-opensc[=/path/to/opensc] [options] | ||
| 69 | |||
| 70 | (3) load a RSA key to the card: | ||
| 71 | |||
| 72 | Not supported yet. | ||
| 73 | |||
| 74 | Common smartcard options: | ||
| 75 | |||
| 76 | (1) tell the ssh client to use the card reader: | ||
| 69 | 77 | ||
| 70 | $ ssh -I 1 otherhost | 78 | $ ssh -I <readernum, eg. 0> otherhost |
| 71 | 79 | ||
| 72 | (7) or tell the agent (don't forget to restart) to use the smartcard: | 80 | (2) or tell the agent (don't forget to restart) to use the smartcard: |
| 73 | 81 | ||
| 74 | $ ssh-add -s 1 | 82 | $ ssh-add -s <readernum, eg. 0> |
| 75 | 83 | ||
| 76 | -markus, | 84 | -markus, |
| 77 | Tue Jul 17 23:54:51 CEST 2001 | 85 | Sat Apr 13 13:48:10 EEST 2002 |
diff --git a/configure.ac b/configure.ac index 9c4d7f670..d6824c318 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.47 2002/04/23 10:23:00 djm Exp $ | 1 | # $Id: configure.ac,v 1.48 2002/04/23 12:48:46 djm Exp $ |
| 2 | 2 | ||
| 3 | AC_INIT | 3 | AC_INIT |
| 4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
| @@ -1719,33 +1719,22 @@ AC_ARG_WITH(sectok, | |||
| 1719 | 1719 | ||
| 1720 | # Check whether user wants OpenSC support | 1720 | # Check whether user wants OpenSC support |
| 1721 | AC_ARG_WITH(opensc, | 1721 | AC_ARG_WITH(opensc, |
| 1722 | [ --with-opensc Enable smartcard support using OpenSC], | 1722 | AC_HELP_STRING([--with-opensc=PFX], |
| 1723 | [ | 1723 | [Enable smartcard support using OpenSC]), |
| 1724 | if test "x$withval" != "xno" ; then | 1724 | opensc_config_prefix="$withval", opensc_config_prefix="") |
| 1725 | if test "x$withval" != "xyes" ; then | 1725 | if test x$opensc_config_prefix != x ; then |
| 1726 | CPPFLAGS="$CPPFLAGS -I${withval}" | 1726 | OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config |
| 1727 | LDFLAGS="$LDFLAGS -L${withval}" | 1727 | AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) |
| 1728 | if test ! -z "$need_dash_r" ; then | 1728 | if test "$OPENSC_CONFIG" != "no"; then |
| 1729 | LDFLAGS="$LDFLAGS -R${withval}" | 1729 | LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` |
| 1730 | fi | 1730 | LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` |
| 1731 | if test ! -z "$blibpath" ; then | 1731 | CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" |
| 1732 | blibpath="$blibpath:${withval}" | 1732 | LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" |
| 1733 | fi | 1733 | AC_DEFINE(SMARTCARD) |
| 1734 | fi | 1734 | AC_DEFINE(USE_OPENSC) |
| 1735 | AC_CHECK_HEADERS(opensc/pkcs15.h) | 1735 | SCARD_MSG="yes, using OpenSC" |
| 1736 | if test "$ac_cv_header_opensc_pkcs15_h" != yes; then | 1736 | fi |
| 1737 | AC_MSG_ERROR(Can't find opensc/pkcs15.h) | 1737 | fi |
| 1738 | fi | ||
| 1739 | AC_CHECK_LIB(opensc, sc_pkcs15_bind) | ||
| 1740 | if test "$ac_cv_lib_opensc_sc_pkcs15_bind" != yes; then | ||
| 1741 | AC_MSG_ERROR(Can't find libopensc) | ||
| 1742 | fi | ||
| 1743 | AC_DEFINE(SMARTCARD) | ||
| 1744 | AC_DEFINE(USE_OPENSC) | ||
| 1745 | SCARD_MSG="yes, using OpenSC" | ||
| 1746 | fi | ||
| 1747 | ] | ||
| 1748 | ) | ||
| 1749 | 1738 | ||
| 1750 | # Check whether user wants Kerberos 5 support | 1739 | # Check whether user wants Kerberos 5 support |
| 1751 | KRB5_MSG="no" | 1740 | KRB5_MSG="no" |
diff --git a/scard-opensc.c b/scard-opensc.c index 6b80d1e68..dd21de39a 100644 --- a/scard-opensc.c +++ b/scard-opensc.c | |||
| @@ -173,7 +173,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, | |||
| 173 | r = sc_prkey_op_init(rsa, &key_obj); | 173 | r = sc_prkey_op_init(rsa, &key_obj); |
| 174 | if (r) | 174 | if (r) |
| 175 | return -1; | 175 | return -1; |
| 176 | r = sc_pkcs15_decipher(p15card, key_obj, from, flen, to, flen); | 176 | r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen); |
| 177 | sc_unlock(card); | 177 | sc_unlock(card); |
| 178 | if (r < 0) { | 178 | if (r < 0) { |
| 179 | error("sc_pkcs15_decipher() failed: %s", sc_strerror(r)); | 179 | error("sc_pkcs15_decipher() failed: %s", sc_strerror(r)); |