summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--authfd.c27
-rw-r--r--authfd.h6
-rw-r--r--ssh-add.c4
-rw-r--r--ssh-agent.c25
5 files changed, 54 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index fab1da44b..fc17be0ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,10 @@
18 - jakob@cvs.openbsd.org 2003/06/11 10:18:47 18 - jakob@cvs.openbsd.org 2003/06/11 10:18:47
19 [dns.c] 19 [dns.c]
20 sync with check_host_key() change 20 sync with check_host_key() change
21 - djm@cvs.openbsd.org 2003/06/11 11:18:38
22 [authfd.c authfd.h ssh-add.c ssh-agent.c]
23 make agent constraints (lifetime, confirm) work with smartcard keys;
24 ok markus@
21 25
22 26
2320030609 2720030609
@@ -502,4 +506,4 @@
502 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 506 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
503 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 507 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
504 508
505$Id: ChangeLog,v 1.2796 2003/06/11 12:05:45 djm Exp $ 509$Id: ChangeLog,v 1.2797 2003/06/11 12:06:33 djm Exp $
diff --git a/authfd.c b/authfd.c
index 7e96269a4..368544b17 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: authfd.c,v 1.59 2003/04/08 20:21:28 itojun Exp $"); 38RCSID("$OpenBSD: authfd.c,v 1.60 2003/06/11 11:18:38 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -589,16 +589,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
589} 589}
590 590
591int 591int
592ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) 592ssh_update_card(AuthenticationConnection *auth, int add,
593 const char *reader_id, const char *pin, u_int life, u_int confirm)
593{ 594{
594 Buffer msg; 595 Buffer msg;
595 int type; 596 int type, constrained = (life || confirm);
597
598 if (add) {
599 type = constrained ?
600 SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :
601 SSH_AGENTC_ADD_SMARTCARD_KEY;
602 } else
603 type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;
596 604
597 buffer_init(&msg); 605 buffer_init(&msg);
598 buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY : 606 buffer_put_char(&msg, type);
599 SSH_AGENTC_REMOVE_SMARTCARD_KEY);
600 buffer_put_cstring(&msg, reader_id); 607 buffer_put_cstring(&msg, reader_id);
601 buffer_put_cstring(&msg, pin); 608 buffer_put_cstring(&msg, pin);
609
610 if (constrained) {
611 if (life != 0) {
612 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
613 buffer_put_int(&msg, life);
614 }
615 if (confirm != 0)
616 buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
617 }
618
602 if (ssh_request_reply(auth, &msg, &msg) == 0) { 619 if (ssh_request_reply(auth, &msg, &msg) == 0) {
603 buffer_free(&msg); 620 buffer_free(&msg);
604 return 0; 621 return 0;
diff --git a/authfd.h b/authfd.h
index 2a8751ec1..74b825c51 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $ */ 1/* $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -49,6 +49,7 @@
49/* add key with constraints */ 49/* add key with constraints */
50#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 50#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
51#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 51#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
52#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
52 53
53#define SSH_AGENT_CONSTRAIN_LIFETIME 1 54#define SSH_AGENT_CONSTRAIN_LIFETIME 1
54#define SSH_AGENT_CONSTRAIN_CONFIRM 2 55#define SSH_AGENT_CONSTRAIN_CONFIRM 2
@@ -82,7 +83,8 @@ int ssh_add_identity_constrained(AuthenticationConnection *, Key *,
82int ssh_remove_identity(AuthenticationConnection *, Key *); 83int ssh_remove_identity(AuthenticationConnection *, Key *);
83int ssh_remove_all_identities(AuthenticationConnection *, int); 84int ssh_remove_all_identities(AuthenticationConnection *, int);
84int ssh_lock_agent(AuthenticationConnection *, int, const char *); 85int ssh_lock_agent(AuthenticationConnection *, int, const char *);
85int ssh_update_card(AuthenticationConnection *, int, const char *, const char *); 86int ssh_update_card(AuthenticationConnection *, int, const char *,
87 const char *, u_int, u_int);
86 88
87int 89int
88ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], 90ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
diff --git a/ssh-add.c b/ssh-add.c
index 9adec3094..9d14a3649 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $"); 38RCSID("$OpenBSD: ssh-add.c,v 1.67 2003/06/11 11:18:38 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -201,7 +201,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
201 if (pin == NULL) 201 if (pin == NULL)
202 return -1; 202 return -1;
203 203
204 if (ssh_update_card(ac, add, id, pin)) { 204 if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) {
205 fprintf(stderr, "Card %s: %s\n", 205 fprintf(stderr, "Card %s: %s\n",
206 add ? "added" : "removed", id); 206 add ? "added" : "removed", id);
207 ret = 0; 207 ret = 0;
diff --git a/ssh-agent.c b/ssh-agent.c
index fbd41834e..61ea34580 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
35 35
36#include "includes.h" 36#include "includes.h"
37#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
38RCSID("$OpenBSD: ssh-agent.c,v 1.109 2003/04/08 20:21:29 itojun Exp $"); 38RCSID("$OpenBSD: ssh-agent.c,v 1.110 2003/06/11 11:18:38 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/md5.h> 41#include <openssl/md5.h>
@@ -580,13 +580,29 @@ static void
580process_add_smartcard_key (SocketEntry *e) 580process_add_smartcard_key (SocketEntry *e)
581{ 581{
582 char *sc_reader_id = NULL, *pin; 582 char *sc_reader_id = NULL, *pin;
583 int i, version, success = 0; 583 int i, version, success = 0, death = 0, confirm = 0;
584 Key **keys, *k; 584 Key **keys, *k;
585 Identity *id; 585 Identity *id;
586 Idtab *tab; 586 Idtab *tab;
587 587
588 sc_reader_id = buffer_get_string(&e->request, NULL); 588 sc_reader_id = buffer_get_string(&e->request, NULL);
589 pin = buffer_get_string(&e->request, NULL); 589 pin = buffer_get_string(&e->request, NULL);
590
591 while (buffer_len(&e->request)) {
592 switch (buffer_get_char(&e->request)) {
593 case SSH_AGENT_CONSTRAIN_LIFETIME:
594 death = time(NULL) + buffer_get_int(&e->request);
595 break;
596 case SSH_AGENT_CONSTRAIN_CONFIRM:
597 confirm = 1;
598 break;
599 default:
600 break;
601 }
602 }
603 if (lifetime && !death)
604 death = time(NULL) + lifetime;
605
590 keys = sc_get_keys(sc_reader_id, pin); 606 keys = sc_get_keys(sc_reader_id, pin);
591 xfree(sc_reader_id); 607 xfree(sc_reader_id);
592 xfree(pin); 608 xfree(pin);
@@ -603,8 +619,8 @@ process_add_smartcard_key (SocketEntry *e)
603 id = xmalloc(sizeof(Identity)); 619 id = xmalloc(sizeof(Identity));
604 id->key = k; 620 id->key = k;
605 id->comment = xstrdup("smartcard key"); 621 id->comment = xstrdup("smartcard key");
606 id->death = 0; 622 id->death = death;
607 id->confirm = 0; 623 id->confirm = confirm;
608 TAILQ_INSERT_TAIL(&tab->idlist, id, next); 624 TAILQ_INSERT_TAIL(&tab->idlist, id, next);
609 tab->nentries++; 625 tab->nentries++;
610 success = 1; 626 success = 1;
@@ -748,6 +764,7 @@ process_message(SocketEntry *e)
748 break; 764 break;
749#ifdef SMARTCARD 765#ifdef SMARTCARD
750 case SSH_AGENTC_ADD_SMARTCARD_KEY: 766 case SSH_AGENTC_ADD_SMARTCARD_KEY:
767 case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED:
751 process_add_smartcard_key(e); 768 process_add_smartcard_key(e);
752 break; 769 break;
753 case SSH_AGENTC_REMOVE_SMARTCARD_KEY: 770 case SSH_AGENTC_REMOVE_SMARTCARD_KEY: