Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD

This commit is contained in:
Jan F. Chadima 2009-11-30 10:09:11 +00:00
parent e3f2dd04fb
commit a595f1f67e
2 changed files with 211 additions and 94 deletions

View File

@ -1,6 +1,6 @@
diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c
--- openssh-5.3p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.3p1/authfd.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/authfd.c 2009-11-27 13:43:00.000000000 +0100
@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
return decode_reply(type);
}
@ -49,7 +49,7 @@ diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c
* by normal applications.
diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h
--- openssh-5.3p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200
+++ openssh-5.3p1/authfd.h 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/authfd.h 2009-11-27 13:43:01.000000000 +0100
@@ -49,6 +49,12 @@
#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@ -73,9 +73,9 @@ diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h
int
ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.nss-keys 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/configure.ac 2009-10-02 14:09:01.000000000 +0200
@@ -3514,6 +3514,20 @@ AC_ARG_WITH(kerberos5,
--- openssh-5.3p1/configure.ac.nss-keys 2009-11-27 13:42:57.000000000 +0100
+++ openssh-5.3p1/configure.ac 2009-11-27 13:48:44.000000000 +0100
@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5,
]
)
@ -89,6 +89,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
+ AC_CHECK_HEADERS(pk11pub.h)
+ LIBS="$LIBS -lnss3"
+ AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include <secerr.h>])
+ fi
+ ])
+AC_SUBST(LIBNSS)
@ -96,7 +97,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -4240,6 +4254,7 @@ echo " TCP Wrappers support
@@ -4253,6 +4269,7 @@ echo " TCP Wrappers support
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
@ -106,7 +107,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac
echo " BSD Auth support: $BSD_AUTH_MSG"
diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c
--- openssh-5.3p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100
+++ openssh-5.3p1/key.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/key.c 2009-11-27 13:43:01.000000000 +0100
@@ -96,6 +96,54 @@ key_new(int type)
return k;
}
@ -184,7 +185,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c
diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
--- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200
+++ openssh-5.3p1/key.h 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100
@@ -29,11 +29,17 @@
#include <openssl/rsa.h>
#include <openssl/dsa.h>
@ -236,7 +237,7 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
int key_equal(const Key *, const Key *);
diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:09:53.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@ -247,12 +248,13 @@ diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up /dev/null openssh-5.3p1/nsskeys.c
--- /dev/null 2009-09-11 09:35:58.778798825 +0200
+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:09:01.000000000 +0200
@@ -0,0 +1,327 @@
--- /dev/null 2009-11-27 11:08:21.619709673 +0100
+++ openssh-5.3p1/nsskeys.c 2009-11-27 13:45:42.000000000 +0100
@@ -0,0 +1,443 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
+ * Copyright (c) 2009 Pierre Ossman for Cendio AB
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
@ -290,6 +292,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+#include <keyhi.h>
+#include <pk11pub.h>
+#include <cert.h>
+#include <secmod.h>
+#include <secerr.h>
+
+#include "xmalloc.h"
+#include "key.h"
@ -328,8 +332,11 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ dbpath = buf;
+ }
+
+ if (NSS_Init(dbpath) != SECSuccess)
+ if (NSS_Init(dbpath) != SECSuccess) {
+ debug("Failed to initialize NSS library. Attempting without DB...");
+ if (NSS_NoDB_Init(NULL) != SECSuccess)
+ return -1;
+ }
+
+ if (pwfn == NULL) {
+ pwfn = password_cb;
@ -340,6 +347,25 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ return 0;
+}
+
+int
+nss_load_module(const char *modpath)
+{
+ char spec[MAXPATHLEN + 40];
+ SECMODModule *module;
+
+ debug("loading PKCS#11 module '%s'", modpath);
+
+ snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath);
+ module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);
+ if (!module || !module->loaded) {
+ if (module)
+ SECMOD_DestroyModule(module);
+ return -1;
+ }
+
+ return 0;
+}
+
+static Key *
+make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
+{
@ -442,9 +468,100 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ return 0;
+}
+
+static int
+nss_authenticate(PK11SlotInfo *slot, char *password, int pwprompts, char **output)
+{
+ int i, quit;
+
+ *output = NULL;
+
+ if (!PK11_NeedLogin(slot))
+ return 0;
+
+ for (i = 0; i < pwprompts; i++) {
+ SECStatus rv;
+ CK_TOKEN_INFO info;
+
+ rv = PK11_GetTokenInfo(slot, &info);
+ if (rv != SECSuccess) {
+ error("Failed to get information for token %s",
+ PK11_GetTokenName(slot));
+ return -1;
+ }
+
+ if (info.flags & CKF_USER_PIN_LOCKED) {
+ error("Passphrase for token %s is locked",
+ PK11_GetTokenName(slot));
+ return -1;
+ }
+
+ if (info.flags & CKF_USER_PIN_FINAL_TRY)
+ debug2("Final passphrase attempt for token %s",
+ PK11_GetTokenName(slot));
+ else if (info.flags & CKF_USER_PIN_COUNT_LOW)
+ debug2("Previous failed passphrase attempt for token %s",
+ PK11_GetTokenName(slot));
+
+ if (password != NULL)
+ *output = xstrdup(password);
+ else {
+ char *prompt;
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
+ PK11_GetTokenName(slot)) < 0)
+ fatal("password_cb: asprintf failed");
+ *output = read_passphrase(prompt, RP_ALLOW_STDIN);
+ }
+
+ if (strcmp(*output, "") == 0) {
+ debug2("no passphrase given, ignoring slot");
+ quit = 1;
+ goto cleanup;
+ }
+
+ quit = 0;
+
+ rv = PK11_Authenticate(slot, PR_TRUE, *output);
+ if (rv == SECSuccess)
+ return 0;
+
+ switch (PORT_GetError()) {
+ case SEC_ERROR_BAD_PASSWORD:
+ debug2("Incorrect passphrase, try again...");
+ break;
+ case SEC_ERROR_INVALID_ARGS:
+ case SEC_ERROR_BAD_DATA:
+ debug2("Invalid passphrase, try again...");
+ break;
+#if HAVE_SEC_ERROR_LOCKED_PASSWORD
+ case SEC_ERROR_LOCKED_PASSWORD:
+ error("Unable to authenticate, token passphrase is locked");
+ quit = 1;
+ break;
+#endif
+ default:
+ error("Failure while authenticating against token");
+ quit = 1;
+ }
+
+cleanup:
+ memset(*output, 0, strlen(*output));
+ xfree(*output);
+ *output = NULL;
+
+ /* No point in retrying the same password */
+ if (password != NULL)
+ break;
+
+ if (quit)
+ break;
+ }
+
+ return -1;
+}
+
+static Key **
+nss_find_privkeys(const char *tokenname, const char *keyname,
+ char *password)
+ char *password, int pwprompts)
+{
+ Key *k = NULL;
+ Key **keys = NULL;
@ -465,18 +582,10 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ for (sle = slots->head; sle; sle = sle->next) {
+ SECKEYPrivateKeyList *list;
+ SECKEYPrivateKeyListNode *node;
+ char *tmppass = password;
+ char *tmppass;
+
+ if (PK11_NeedLogin(sle->slot)) {
+ if (password == NULL) {
+ char *prompt;
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
+ PK11_GetTokenName(sle->slot)) < 0)
+ fatal("password_cb: asprintf failed");
+ tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
+ }
+ PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
+ }
+ if (nss_authenticate(sle->slot, password, pwprompts, &tmppass) == -1)
+ break;
+
+ debug("Looking for: %s:%s", tokenname, keyname);
+ list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
@ -521,7 +630,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ SECKEY_DestroyPrivateKeyList(list);
+ }
+cleanup:
+ if (password == NULL && tmppass != NULL) {
+ if (tmppass != NULL) {
+ memset(tmppass, 0, strlen(tmppass));
+ xfree(tmppass);
+ }
@ -533,8 +642,9 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+
+Key **
+nss_get_keys(const char *tokenname, const char *keyname,
+ char *password)
+ char *password, int pwprompts, int num_modules, const char **modules)
+{
+ int i;
+ Key **keys;
+
+ if (nss_init(NULL) == -1) {
@ -542,7 +652,14 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+ return NULL;
+ }
+
+ keys = nss_find_privkeys(tokenname, keyname, password);
+ for (i = 0;i < num_modules;i++) {
+ if (nss_load_module(modules[i]) == -1) {
+ error("Failed to load PKCS#11 module '%s'", modules[i]);
+ return NULL;
+ }
+ }
+
+ keys = nss_find_privkeys(tokenname, keyname, password, pwprompts);
+ if (keys == NULL && keyname != NULL) {
+ error("Cannot find key in nss, token removed");
+ return NULL;
@ -578,8 +695,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c
+
+#endif /* HAVE_LIBNSS */
diff -up /dev/null openssh-5.3p1/nsskeys.h
--- /dev/null 2009-09-11 09:35:58.778798825 +0200
+++ openssh-5.3p1/nsskeys.h 2009-10-02 14:09:01.000000000 +0200
--- /dev/null 2009-11-27 11:08:21.619709673 +0100
+++ openssh-5.3p1/nsskeys.h 2009-11-27 13:43:01.000000000 +0100
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -613,7 +730,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys.h
+#include <prtypes.h>
+
+int nss_init(PK11PasswordFunc);
+Key **nss_get_keys(const char *, const char *, char *);
+Key **nss_get_keys(const char *, const char *, char *, int , int , const char **);
+char *nss_get_key_label(Key *);
+/*void sc_close(void);*/
+/*int sc_put_key(Key *, const char *);*/
@ -622,30 +739,32 @@ diff -up /dev/null openssh-5.3p1/nsskeys.h
+#endif
diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c
--- openssh-5.3p1/readconf.c.nss-keys 2009-07-05 23:12:27.000000000 +0200
+++ openssh-5.3p1/readconf.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/readconf.c 2009-11-27 13:43:01.000000000 +0100
@@ -124,6 +124,7 @@ typedef enum {
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+ oUseNSS, oNSSToken,
+ oUseNSS, oNSSToken, oNSSModule,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -210,6 +211,13 @@ static struct {
@@ -210,6 +211,15 @@ static struct {
#else
{ "smartcarddevice", oUnsupported },
#endif
+#ifdef HAVE_LIBNSS
+ { "usenss", oUseNSS },
+ { "nsstoken", oNSSToken },
+ { "nssmodule", oNSSModule },
+#else
+ { "usenss", oUnsupported },
+ { "nsstoken", oNSSToken },
+ { "nssmodule", oUnsupported },
+#endif
{ "clearallforwardings", oClearAllForwardings },
{ "enablesshkeysign", oEnableSSHKeysign },
{ "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -613,6 +621,14 @@ parse_string:
@@ -613,6 +623,28 @@ parse_string:
charptr = &options->smartcard_device;
goto parse_string;
@ -657,19 +776,34 @@ diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c
+ charptr = &options->nss_token;
+ goto parse_command;
+
+ case oNSSModule:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (*activep) {
+ intptr = &options->num_nss_modules;
+ if (*intptr >= SSH_MAX_NSS_MODULES)
+ fatal("%.200s line %d: Too many PKCS#11 modules specified (max %d).",
+ filename, linenum, SSH_MAX_NSS_MODULES);
+ charptr = &options->nss_modules[*intptr];
+ *charptr = xstrdup(arg);
+ *intptr = *intptr + 1;
+ }
+ break;
case oProxyCommand:
charptr = &options->proxy_command;
parse_command:
@@ -1052,6 +1068,8 @@ initialize_options(Options * options)
@@ -1052,6 +1084,9 @@ initialize_options(Options * options)
options->preferred_authentications = NULL;
options->bind_address = NULL;
options->smartcard_device = NULL;
+ options->use_nss = -1;
+ options->nss_token = NULL;
+ options->num_nss_modules = 0;
options->enable_ssh_keysign = - 1;
options->no_host_authentication_for_localhost = - 1;
options->identities_only = - 1;
@@ -1183,6 +1201,8 @@ fill_default_options(Options * options)
@@ -1183,6 +1218,8 @@ fill_default_options(Options * options)
options->no_host_authentication_for_localhost = 0;
if (options->identities_only == -1)
options->identities_only = 0;
@ -680,19 +814,21 @@ diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c
if (options->rekey_limit == -1)
diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h
--- openssh-5.3p1/readconf.h.nss-keys 2009-07-05 23:12:27.000000000 +0200
+++ openssh-5.3p1/readconf.h 2009-10-02 14:09:01.000000000 +0200
@@ -85,6 +85,8 @@ typedef struct {
+++ openssh-5.3p1/readconf.h 2009-11-27 13:43:01.000000000 +0100
@@ -85,6 +85,10 @@ typedef struct {
char *preferred_authentications;
char *bind_address; /* local socket address for connection to sshd */
char *smartcard_device; /* Smartcard reader device */
+ int use_nss; /* Use NSS library for keys */
+ char *nss_token; /* Look for NSS keys on token */
+ int num_nss_modules; /* Number of PCKS#11 modules. */
+ char *nss_modules[SSH_MAX_NSS_MODULES];
int verify_host_key_dns; /* Verify host key using DNS */
int num_identity_files; /* Number of files for RSA/DSA identities. */
diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c
--- openssh-5.3p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100
+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh-add.c 2009-11-27 13:43:01.000000000 +0100
@@ -44,6 +44,14 @@
#include <openssl/evp.h>
#include "openbsd-compat/openssl-compat.h"
@ -932,7 +1068,7 @@ diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c
struct passwd *pw;
diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c
--- openssh-5.3p1/ssh-agent.c.nss-keys 2009-06-21 09:50:15.000000000 +0200
+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh-agent.c 2009-11-27 13:43:01.000000000 +0100
@@ -80,6 +80,10 @@
#include "scard.h"
#endif
@ -977,7 +1113,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c
+ if (lifetime && !death)
+ death = time(NULL) + lifetime;
+
+ keys = nss_get_keys(tokenname, keyname, password);
+ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL);
+ /* password is owned by keys[0] now */
+ xfree(tokenname);
+ xfree(keyname);
@ -1026,7 +1162,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c
+ keyname = buffer_get_string(&e->request, NULL);
+ password = buffer_get_string(&e->request, NULL);
+
+ keys = nss_get_keys(tokenname, keyname, password);
+ keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL);
+ xfree(tokenname);
+ xfree(keyname);
+ xfree(password);
@ -1077,7 +1213,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c
error("Unknown message %d", type);
diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c
--- openssh-5.3p1/ssh.c.nss-keys 2009-07-05 23:16:56.000000000 +0200
+++ openssh-5.3p1/ssh.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh.c 2009-11-27 13:43:01.000000000 +0100
@@ -105,6 +105,9 @@
#ifdef SMARTCARD
#include "scard.h"
@ -1101,14 +1237,16 @@ diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c
if (options.smartcard_device != NULL &&
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
@@ -1259,6 +1264,27 @@ load_public_identity_files(void)
@@ -1259,6 +1264,29 @@ load_public_identity_files(void)
xfree(keys);
}
#endif /* SMARTCARD */
+#ifdef HAVE_LIBNSS
+ if (options.use_nss &&
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
+ (keys = nss_get_keys(options.nss_token, NULL, NULL,
+ options.number_of_password_prompts, options.num_nss_modules,
+ options.nss_modules)) != NULL) {
+ int count;
+ for (count = 0; keys[count] != NULL; count++) {
+ memmove(&options.identity_files[1], &options.identity_files[0],
@ -1131,7 +1269,7 @@ diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c
pwname = xstrdup(pw->pw_name);
diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c
--- openssh-5.3p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100
+++ openssh-5.3p1/ssh-dss.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh-dss.c 2009-11-27 13:43:01.000000000 +0100
@@ -39,6 +39,10 @@
#include "log.h"
#include "key.h"
@ -1189,9 +1327,25 @@ diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c
if (datafellows & SSH_BUG_SIGBLOB) {
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h
--- openssh-5.3p1/ssh.h.nss-keys 2006-08-05 04:39:41.000000000 +0200
+++ openssh-5.3p1/ssh.h 2009-11-27 13:43:01.000000000 +0100
@@ -28,6 +28,12 @@
#define SSH_MAX_IDENTITY_FILES 100
/*
+ * Maximum number of PKCS#11 modules that can be specified in configuration
+ * files or on the command line.
+ */
+#define SSH_MAX_NSS_MODULES 10
+
+/*
* Maximum length of lines in authorized_keys file.
* Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
* some room for options and comments.
diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c
--- openssh-5.3p1/ssh-keygen.c.nss-keys 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh-keygen.c 2009-11-27 13:43:01.000000000 +0100
@@ -53,6 +53,11 @@
#include "scard.h"
#endif
@ -1215,7 +1369,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c
+ Key **keys = NULL;
+ int i;
+
+ keys = nss_get_keys(tokenname, keyname, NULL);
+ keys = nss_get_keys(tokenname, keyname, NULL, 1, 0, NULL);
+ if (keys == NULL)
+ fatal("cannot find public key in NSS");
+ for (i = 0; keys[i]; i++) {
@ -1295,7 +1449,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c
if (download)
diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c
--- openssh-5.3p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200
+++ openssh-5.3p1/ssh-rsa.c 2009-10-02 14:09:01.000000000 +0200
+++ openssh-5.3p1/ssh-rsa.c 2009-11-27 13:43:01.000000000 +0100
@@ -32,6 +32,10 @@
#include "compat.h"
#include "ssh.h"
@ -1366,43 +1520,3 @@ diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c
/* encode signature */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-rsa");
diff -up /dev/null openssh-5.2p1/README.nss
--- /dev/null 2008-11-17 17:51:52.160001870 +0100
+++ openssh-5.2p1/README.nss 2008-11-18 19:11:41.000000000 +0100
@@ -0,0 +1,36 @@
+How to use NSS tokens with OpenSSH?
+
+This version of OpenSSH contains experimental support for authentication using
+keys stored in tokens stored in NSS database. This for example includes any
+PKCS#11 tokens which are installed in your NSS database.
+
+As the code is experimental and preliminary only SSH protocol 2 is supported.
+The NSS certificate and token databases are looked for in the ~/.ssh
+directory or in a directory specified by environment variable NSS_DB_PATH.
+
+Common operations:
+
+(1) tell the ssh client to use the NSS keys:
+
+ $ ssh -o 'UseNSS yes' otherhost
+
+ if you want to use a specific token:
+
+ $ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
+
+(2) or tell the agent to use the NSS keys:
+
+ $ ssh-add -n
+
+ if you want to use a specific token:
+
+ $ ssh-add -n -T 'My PKCS11 Token'
+
+(3) extract the public key from token so it can be added to the
+server:
+
+ $ ssh-keygen -n
+
+ if you want to use a specific token and/or key:
+
+ $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'

View File

@ -69,7 +69,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.3p1
Release: 9%{?dist}%{?rescue_rel}
Release: 11%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -525,7 +525,10 @@ fi
%endif
%changelog
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8
* Mon Nov 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9
- Add gssapi key exchange patch (#455351)
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8