From a595f1f67e3950ffd1ecd49af3137d0ad5d6c059 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Mon, 30 Nov 2009 10:09:11 +0000 Subject: [PATCH] Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD --- openssh-5.3p1-nss-keys.patch | 298 ++++++++++++++++++++++++----------- openssh.spec | 7 +- 2 files changed, 211 insertions(+), 94 deletions(-) diff --git a/openssh-5.3p1-nss-keys.patch b/openssh-5.3p1-nss-keys.patch index dbf34cb..1bb4376 100644 --- a/openssh-5.3p1-nss-keys.patch +++ b/openssh-5.3p1-nss-keys.patch @@ -1,6 +1,6 @@ diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c --- openssh-5.3p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/authfd.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/authfd.c 2009-11-27 13:43:00.000000000 +0100 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection return decode_reply(type); } @@ -49,7 +49,7 @@ diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c * by normal applications. diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h --- openssh-5.3p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.3p1/authfd.h 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/authfd.h 2009-11-27 13:43:01.000000000 +0100 @@ -49,6 +49,12 @@ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 @@ -73,9 +73,9 @@ diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h int ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.nss-keys 2009-10-02 14:09:01.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2009-10-02 14:09:01.000000000 +0200 -@@ -3514,6 +3514,20 @@ AC_ARG_WITH(kerberos5, +--- openssh-5.3p1/configure.ac.nss-keys 2009-11-27 13:42:57.000000000 +0100 ++++ openssh-5.3p1/configure.ac 2009-11-27 13:48:44.000000000 +0100 +@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5, ] ) @@ -89,6 +89,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac + CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4" + AC_CHECK_HEADERS(pk11pub.h) + LIBS="$LIBS -lnss3" ++ AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include ]) + fi + ]) +AC_SUBST(LIBNSS) @@ -96,7 +97,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac # Looking for programs, paths and files PRIVSEP_PATH=/var/empty -@@ -4240,6 +4254,7 @@ echo " TCP Wrappers support +@@ -4253,6 +4269,7 @@ echo " TCP Wrappers support echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" @@ -106,7 +107,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac echo " BSD Auth support: $BSD_AUTH_MSG" diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c --- openssh-5.3p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100 -+++ openssh-5.3p1/key.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/key.c 2009-11-27 13:43:01.000000000 +0100 @@ -96,6 +96,54 @@ key_new(int type) return k; } @@ -184,7 +185,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h --- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 -+++ openssh-5.3p1/key.h 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100 @@ -29,11 +29,17 @@ #include #include @@ -236,7 +237,7 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h int key_equal(const Key *, const Key *); diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in --- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200 -+++ openssh-5.3p1/Makefile.in 2009-10-02 14:09:53.000000000 +0200 ++++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ @@ -247,12 +248,13 @@ diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff -up /dev/null openssh-5.3p1/nsskeys.c ---- /dev/null 2009-09-11 09:35:58.778798825 +0200 -+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:09:01.000000000 +0200 -@@ -0,0 +1,327 @@ +--- /dev/null 2009-11-27 11:08:21.619709673 +0100 ++++ openssh-5.3p1/nsskeys.c 2009-11-27 13:45:42.000000000 +0100 +@@ -0,0 +1,443 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2007 Red Hat, Inc. All rights reserved. ++ * Copyright (c) 2009 Pierre Ossman for Cendio AB + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -290,6 +292,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c +#include +#include +#include ++#include ++#include + +#include "xmalloc.h" +#include "key.h" @@ -328,8 +332,11 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + dbpath = buf; + } + -+ if (NSS_Init(dbpath) != SECSuccess) -+ return -1; ++ if (NSS_Init(dbpath) != SECSuccess) { ++ debug("Failed to initialize NSS library. Attempting without DB..."); ++ if (NSS_NoDB_Init(NULL) != SECSuccess) ++ return -1; ++ } + + if (pwfn == NULL) { + pwfn = password_cb; @@ -340,6 +347,25 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + return 0; +} + ++int ++nss_load_module(const char *modpath) ++{ ++ char spec[MAXPATHLEN + 40]; ++ SECMODModule *module; ++ ++ debug("loading PKCS#11 module '%s'", modpath); ++ ++ snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath); ++ module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE); ++ if (!module || !module->loaded) { ++ if (module) ++ SECMOD_DestroyModule(module); ++ return -1; ++ } ++ ++ return 0; ++} ++ +static Key * +make_key_from_privkey(SECKEYPrivateKey *privk, char *password) +{ @@ -442,9 +468,100 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + return 0; +} + ++static int ++nss_authenticate(PK11SlotInfo *slot, char *password, int pwprompts, char **output) ++{ ++ int i, quit; ++ ++ *output = NULL; ++ ++ if (!PK11_NeedLogin(slot)) ++ return 0; ++ ++ for (i = 0; i < pwprompts; i++) { ++ SECStatus rv; ++ CK_TOKEN_INFO info; ++ ++ rv = PK11_GetTokenInfo(slot, &info); ++ if (rv != SECSuccess) { ++ error("Failed to get information for token %s", ++ PK11_GetTokenName(slot)); ++ return -1; ++ } ++ ++ if (info.flags & CKF_USER_PIN_LOCKED) { ++ error("Passphrase for token %s is locked", ++ PK11_GetTokenName(slot)); ++ return -1; ++ } ++ ++ if (info.flags & CKF_USER_PIN_FINAL_TRY) ++ debug2("Final passphrase attempt for token %s", ++ PK11_GetTokenName(slot)); ++ else if (info.flags & CKF_USER_PIN_COUNT_LOW) ++ debug2("Previous failed passphrase attempt for token %s", ++ PK11_GetTokenName(slot)); ++ ++ if (password != NULL) ++ *output = xstrdup(password); ++ else { ++ char *prompt; ++ if (asprintf(&prompt, "Enter passphrase for token %s: ", ++ PK11_GetTokenName(slot)) < 0) ++ fatal("password_cb: asprintf failed"); ++ *output = read_passphrase(prompt, RP_ALLOW_STDIN); ++ } ++ ++ if (strcmp(*output, "") == 0) { ++ debug2("no passphrase given, ignoring slot"); ++ quit = 1; ++ goto cleanup; ++ } ++ ++ quit = 0; ++ ++ rv = PK11_Authenticate(slot, PR_TRUE, *output); ++ if (rv == SECSuccess) ++ return 0; ++ ++ switch (PORT_GetError()) { ++ case SEC_ERROR_BAD_PASSWORD: ++ debug2("Incorrect passphrase, try again..."); ++ break; ++ case SEC_ERROR_INVALID_ARGS: ++ case SEC_ERROR_BAD_DATA: ++ debug2("Invalid passphrase, try again..."); ++ break; ++#if HAVE_SEC_ERROR_LOCKED_PASSWORD ++ case SEC_ERROR_LOCKED_PASSWORD: ++ error("Unable to authenticate, token passphrase is locked"); ++ quit = 1; ++ break; ++#endif ++ default: ++ error("Failure while authenticating against token"); ++ quit = 1; ++ } ++ ++cleanup: ++ memset(*output, 0, strlen(*output)); ++ xfree(*output); ++ *output = NULL; ++ ++ /* No point in retrying the same password */ ++ if (password != NULL) ++ break; ++ ++ if (quit) ++ break; ++ } ++ ++ return -1; ++} ++ +static Key ** +nss_find_privkeys(const char *tokenname, const char *keyname, -+ char *password) ++ char *password, int pwprompts) +{ + Key *k = NULL; + Key **keys = NULL; @@ -465,18 +582,10 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + for (sle = slots->head; sle; sle = sle->next) { + SECKEYPrivateKeyList *list; + SECKEYPrivateKeyListNode *node; -+ char *tmppass = password; -+ -+ if (PK11_NeedLogin(sle->slot)) { -+ if (password == NULL) { -+ char *prompt; -+ if (asprintf(&prompt, "Enter passphrase for token %s: ", -+ PK11_GetTokenName(sle->slot)) < 0) -+ fatal("password_cb: asprintf failed"); -+ tmppass = read_passphrase(prompt, RP_ALLOW_STDIN); -+ } -+ PK11_Authenticate(sle->slot, PR_TRUE, tmppass); -+ } ++ char *tmppass; ++ ++ if (nss_authenticate(sle->slot, password, pwprompts, &tmppass) == -1) ++ break; + + debug("Looking for: %s:%s", tokenname, keyname); + list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname, @@ -521,7 +630,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + SECKEY_DestroyPrivateKeyList(list); + } +cleanup: -+ if (password == NULL && tmppass != NULL) { ++ if (tmppass != NULL) { + memset(tmppass, 0, strlen(tmppass)); + xfree(tmppass); + } @@ -533,8 +642,9 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + +Key ** +nss_get_keys(const char *tokenname, const char *keyname, -+ char *password) ++ char *password, int pwprompts, int num_modules, const char **modules) +{ ++ int i; + Key **keys; + + if (nss_init(NULL) == -1) { @@ -542,7 +652,14 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + return NULL; + } + -+ keys = nss_find_privkeys(tokenname, keyname, password); ++ for (i = 0;i < num_modules;i++) { ++ if (nss_load_module(modules[i]) == -1) { ++ error("Failed to load PKCS#11 module '%s'", modules[i]); ++ return NULL; ++ } ++ } ++ ++ keys = nss_find_privkeys(tokenname, keyname, password, pwprompts); + if (keys == NULL && keyname != NULL) { + error("Cannot find key in nss, token removed"); + return NULL; @@ -578,8 +695,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + +#endif /* HAVE_LIBNSS */ diff -up /dev/null openssh-5.3p1/nsskeys.h ---- /dev/null 2009-09-11 09:35:58.778798825 +0200 -+++ openssh-5.3p1/nsskeys.h 2009-10-02 14:09:01.000000000 +0200 +--- /dev/null 2009-11-27 11:08:21.619709673 +0100 ++++ openssh-5.3p1/nsskeys.h 2009-11-27 13:43:01.000000000 +0100 @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -613,7 +730,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys.h +#include + +int nss_init(PK11PasswordFunc); -+Key **nss_get_keys(const char *, const char *, char *); ++Key **nss_get_keys(const char *, const char *, char *, int , int , const char **); +char *nss_get_key_label(Key *); +/*void sc_close(void);*/ +/*int sc_put_key(Key *, const char *);*/ @@ -622,30 +739,32 @@ diff -up /dev/null openssh-5.3p1/nsskeys.h +#endif diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c --- openssh-5.3p1/readconf.c.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/readconf.c 2009-11-27 13:43:01.000000000 +0100 @@ -124,6 +124,7 @@ typedef enum { oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, -+ oUseNSS, oNSSToken, ++ oUseNSS, oNSSToken, oNSSModule, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, -@@ -210,6 +211,13 @@ static struct { +@@ -210,6 +211,15 @@ static struct { #else { "smartcarddevice", oUnsupported }, #endif +#ifdef HAVE_LIBNSS + { "usenss", oUseNSS }, + { "nsstoken", oNSSToken }, ++ { "nssmodule", oNSSModule }, +#else + { "usenss", oUnsupported }, + { "nsstoken", oNSSToken }, ++ { "nssmodule", oUnsupported }, +#endif { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "verifyhostkeydns", oVerifyHostKeyDNS }, -@@ -613,6 +621,14 @@ parse_string: +@@ -613,6 +623,28 @@ parse_string: charptr = &options->smartcard_device; goto parse_string; @@ -657,19 +776,34 @@ diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c + charptr = &options->nss_token; + goto parse_command; + ++ case oNSSModule: ++ arg = strdelim(&s); ++ if (!arg || *arg == '\0') ++ fatal("%.200s line %d: Missing argument.", filename, linenum); ++ if (*activep) { ++ intptr = &options->num_nss_modules; ++ if (*intptr >= SSH_MAX_NSS_MODULES) ++ fatal("%.200s line %d: Too many PKCS#11 modules specified (max %d).", ++ filename, linenum, SSH_MAX_NSS_MODULES); ++ charptr = &options->nss_modules[*intptr]; ++ *charptr = xstrdup(arg); ++ *intptr = *intptr + 1; ++ } ++ break; case oProxyCommand: charptr = &options->proxy_command; parse_command: -@@ -1052,6 +1068,8 @@ initialize_options(Options * options) +@@ -1052,6 +1084,9 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; + options->use_nss = -1; + options->nss_token = NULL; ++ options->num_nss_modules = 0; options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; -@@ -1183,6 +1201,8 @@ fill_default_options(Options * options) +@@ -1183,6 +1218,8 @@ fill_default_options(Options * options) options->no_host_authentication_for_localhost = 0; if (options->identities_only == -1) options->identities_only = 0; @@ -680,19 +814,21 @@ diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c if (options->rekey_limit == -1) diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h --- openssh-5.3p1/readconf.h.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.h 2009-10-02 14:09:01.000000000 +0200 -@@ -85,6 +85,8 @@ typedef struct { ++++ openssh-5.3p1/readconf.h 2009-11-27 13:43:01.000000000 +0100 +@@ -85,6 +85,10 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ char *smartcard_device; /* Smartcard reader device */ + int use_nss; /* Use NSS library for keys */ + char *nss_token; /* Look for NSS keys on token */ ++ int num_nss_modules; /* Number of PCKS#11 modules. */ ++ char *nss_modules[SSH_MAX_NSS_MODULES]; int verify_host_key_dns; /* Verify host key using DNS */ int num_identity_files; /* Number of files for RSA/DSA identities. */ diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c --- openssh-5.3p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 -+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh-add.c 2009-11-27 13:43:01.000000000 +0100 @@ -44,6 +44,14 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -932,7 +1068,7 @@ diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c struct passwd *pw; diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c --- openssh-5.3p1/ssh-agent.c.nss-keys 2009-06-21 09:50:15.000000000 +0200 -+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh-agent.c 2009-11-27 13:43:01.000000000 +0100 @@ -80,6 +80,10 @@ #include "scard.h" #endif @@ -977,7 +1113,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c + if (lifetime && !death) + death = time(NULL) + lifetime; + -+ keys = nss_get_keys(tokenname, keyname, password); ++ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL); + /* password is owned by keys[0] now */ + xfree(tokenname); + xfree(keyname); @@ -1026,7 +1162,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c + keyname = buffer_get_string(&e->request, NULL); + password = buffer_get_string(&e->request, NULL); + -+ keys = nss_get_keys(tokenname, keyname, password); ++ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL); + xfree(tokenname); + xfree(keyname); + xfree(password); @@ -1077,7 +1213,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c error("Unknown message %d", type); diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c --- openssh-5.3p1/ssh.c.nss-keys 2009-07-05 23:16:56.000000000 +0200 -+++ openssh-5.3p1/ssh.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh.c 2009-11-27 13:43:01.000000000 +0100 @@ -105,6 +105,9 @@ #ifdef SMARTCARD #include "scard.h" @@ -1101,14 +1237,16 @@ diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c if (options.smartcard_device != NULL && options.num_identity_files < SSH_MAX_IDENTITY_FILES && (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { -@@ -1259,6 +1264,27 @@ load_public_identity_files(void) +@@ -1259,6 +1264,29 @@ load_public_identity_files(void) xfree(keys); } #endif /* SMARTCARD */ +#ifdef HAVE_LIBNSS + if (options.use_nss && + options.num_identity_files < SSH_MAX_IDENTITY_FILES && -+ (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) { ++ (keys = nss_get_keys(options.nss_token, NULL, NULL, ++ options.number_of_password_prompts, options.num_nss_modules, ++ options.nss_modules)) != NULL) { + int count; + for (count = 0; keys[count] != NULL; count++) { + memmove(&options.identity_files[1], &options.identity_files[0], @@ -1131,7 +1269,7 @@ diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c pwname = xstrdup(pw->pw_name); diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c --- openssh-5.3p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 -+++ openssh-5.3p1/ssh-dss.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh-dss.c 2009-11-27 13:43:01.000000000 +0100 @@ -39,6 +39,10 @@ #include "log.h" #include "key.h" @@ -1189,9 +1327,25 @@ diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c if (datafellows & SSH_BUG_SIGBLOB) { if (lenp != NULL) *lenp = SIGBLOB_LEN; +diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h +--- openssh-5.3p1/ssh.h.nss-keys 2006-08-05 04:39:41.000000000 +0200 ++++ openssh-5.3p1/ssh.h 2009-11-27 13:43:01.000000000 +0100 +@@ -28,6 +28,12 @@ + #define SSH_MAX_IDENTITY_FILES 100 + + /* ++ * Maximum number of PKCS#11 modules that can be specified in configuration ++ * files or on the command line. ++ */ ++#define SSH_MAX_NSS_MODULES 10 ++ ++/* + * Maximum length of lines in authorized_keys file. + * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with + * some room for options and comments. diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c --- openssh-5.3p1/ssh-keygen.c.nss-keys 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh-keygen.c 2009-11-27 13:43:01.000000000 +0100 @@ -53,6 +53,11 @@ #include "scard.h" #endif @@ -1215,7 +1369,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c + Key **keys = NULL; + int i; + -+ keys = nss_get_keys(tokenname, keyname, NULL); ++ keys = nss_get_keys(tokenname, keyname, NULL, 1, 0, NULL); + if (keys == NULL) + fatal("cannot find public key in NSS"); + for (i = 0; keys[i]; i++) { @@ -1295,7 +1449,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c if (download) diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c --- openssh-5.3p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.3p1/ssh-rsa.c 2009-10-02 14:09:01.000000000 +0200 ++++ openssh-5.3p1/ssh-rsa.c 2009-11-27 13:43:01.000000000 +0100 @@ -32,6 +32,10 @@ #include "compat.h" #include "ssh.h" @@ -1366,43 +1520,3 @@ diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c /* encode signature */ buffer_init(&b); buffer_put_cstring(&b, "ssh-rsa"); -diff -up /dev/null openssh-5.2p1/README.nss ---- /dev/null 2008-11-17 17:51:52.160001870 +0100 -+++ openssh-5.2p1/README.nss 2008-11-18 19:11:41.000000000 +0100 -@@ -0,0 +1,36 @@ -+How to use NSS tokens with OpenSSH? -+ -+This version of OpenSSH contains experimental support for authentication using -+keys stored in tokens stored in NSS database. This for example includes any -+PKCS#11 tokens which are installed in your NSS database. -+ -+As the code is experimental and preliminary only SSH protocol 2 is supported. -+The NSS certificate and token databases are looked for in the ~/.ssh -+directory or in a directory specified by environment variable NSS_DB_PATH. -+ -+Common operations: -+ -+(1) tell the ssh client to use the NSS keys: -+ -+ $ ssh -o 'UseNSS yes' otherhost -+ -+ if you want to use a specific token: -+ -+ $ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost -+ -+(2) or tell the agent to use the NSS keys: -+ -+ $ ssh-add -n -+ -+ if you want to use a specific token: -+ -+ $ ssh-add -n -T 'My PKCS11 Token' -+ -+(3) extract the public key from token so it can be added to the -+server: -+ -+ $ ssh-keygen -n -+ -+ if you want to use a specific token and/or key: -+ -+ $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID' diff --git a/openssh.spec b/openssh.spec index ed72c0a..8b43e21 100644 --- a/openssh.spec +++ b/openssh.spec @@ -69,7 +69,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 9%{?dist}%{?rescue_rel} +Release: 11%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -525,7 +525,10 @@ fi %endif %changelog -* Fri Nov 20 2009 Jan F. Chadima - 5.3p1-8 +* Mon Nov 30 2009 Jan F. Chadima - 5.3p1-11 +- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451) + +* Fri Nov 20 2009 Jan F. Chadima - 5.3p1-9 - Add gssapi key exchange patch (#455351) * Fri Nov 20 2009 Jan F. Chadima - 5.3p1-8