tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

- (djm) Applied OpenSC smartcard updates from Markus &

Browse Source 
Antti Tapaninen <aet@cc.hut.fi>
This commit is contained in:
Damien Miller 2002-04-23 22:48:46 +10:00
parent 654a4ef969
commit f6195f2be8
3 changed files with 52 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
README.smartcard
View File

@ -1,31 +1,23 @@
How to use smartcards with OpenSSH? How to use smartcards with OpenSSH?
OpenSSH contains experimental support for authentication using OpenSSH contains experimental support for authentication using Cyberflex
Cyberflex smartcards and TODOS card readers, in addition to the cards with smartcards and TODOS card readers, in addition to the cards with PKCS#15
PKCS #15 structure supported by OpenSC. structure supported by OpenSC.
WARNING: Smartcard support is still in development. Keyfile formats, etc WARNING: Smartcard support is still in development.
are still subject to change. Keyfile formats, etc are still subject to change.
To enable this you need to: To enable sectok support:
(1) install sectok or OpenSC (1) install sectok:
Sources are instructions are available from Sources and instructions are available from
http://www.citi.umich.edu/projects/smartcard/sectok.html http://www.citi.umich.edu/projects/smartcard/sectok.html
or (2) enable sectok support in OpenSSH:
http://www.opensc.org/
(2) enable SMARTCARD support in OpenSSH:
$ ./configure --with-sectok[=/path/to/libsectok] [options] $ ./configure --with-sectok[=/path/to/libsectok] [options]
or
$ ./configure --with-opensc[=/path/to/opensc] [options]
(3) load the Java Cardlet to the Cyberflex card: (3) load the Java Cardlet to the Cyberflex card:
$ sectok $ sectok
@ -35,12 +27,11 @@ To enable this you need to:
(4) load a RSA key to the card: (4) load a RSA key to the card:
please don't use your production RSA keys, since Please don't use your production RSA keys, since
with the current version of sectok/ssh-keygen with the current version of sectok/ssh-keygen
the private key file is still readable the private key file is still readable.
$ ssh-keygen -f /path/to/rsakey -U 1 $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
(where 1 is the reader number, you can also try 0)
In spite of the name, this does not generate a key. In spite of the name, this does not generate a key.
It just loads an already existing key on to the card. It just loads an already existing key on to the card.
@ -65,13 +56,30 @@ To enable this you need to:
wrong passphrase three times in a row, you will wrong passphrase three times in a row, you will
destroy your card. destroy your card.
(6) tell the ssh client to use the card reader: To enable OpenSC support:
$ ssh -I 1 otherhost (1) install OpenSC:
(7) or tell the agent (don't forget to restart) to use the smartcard: Sources and instructions are available from
http://www.opensc.org/
$ ssh-add -s 1 (2) enable OpenSC support in OpenSSH:
$ ./configure --with-opensc[=/path/to/opensc] [options]
(3) load a RSA key to the card:
Not supported yet.
Common smartcard options:
(1) tell the ssh client to use the card reader:
$ ssh -I <readernum, eg. 0> otherhost
(2) or tell the agent (don't forget to restart) to use the smartcard:
$ ssh-add -s <readernum, eg. 0>
-markus, -markus,
Tue Jul 17 23:54:51 CEST 2001 Sat Apr 13 13:48:10 EEST 2002

45
configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.47 2002/04/23 10:23:00 djm Exp $ # $Id: configure.ac,v 1.48 2002/04/23 12:48:46 djm Exp $
AC_INIT AC_INIT
AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_SRCDIR([ssh.c])
@ -1719,33 +1719,22 @@ AC_ARG_WITH(sectok,
# Check whether user wants OpenSC support # Check whether user wants OpenSC support
AC_ARG_WITH(opensc, AC_ARG_WITH(opensc,
[ --with-opensc Enable smartcard support using OpenSC], AC_HELP_STRING([--with-opensc=PFX],
[ [Enable smartcard support using OpenSC]),
if test "x$withval" != "xno" ; then opensc_config_prefix="$withval", opensc_config_prefix="")
if test "x$withval" != "xyes" ; then if test x$opensc_config_prefix != x ; then
CPPFLAGS="$CPPFLAGS -I${withval}" OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
LDFLAGS="$LDFLAGS -L${withval}" AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
if test ! -z "$need_dash_r" ; then if test "$OPENSC_CONFIG" != "no"; then
LDFLAGS="$LDFLAGS -R${withval}" LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
fi LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
if test ! -z "$blibpath" ; then CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
blibpath="$blibpath:${withval}" LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
fi AC_DEFINE(SMARTCARD)
fi AC_DEFINE(USE_OPENSC)
AC_CHECK_HEADERS(opensc/pkcs15.h) SCARD_MSG="yes, using OpenSC"
if test "$ac_cv_header_opensc_pkcs15_h" != yes; then fi
AC_MSG_ERROR(Can't find opensc/pkcs15.h) fi
fi
AC_CHECK_LIB(opensc, sc_pkcs15_bind)
if test "$ac_cv_lib_opensc_sc_pkcs15_bind" != yes; then
AC_MSG_ERROR(Can't find libopensc)
fi
AC_DEFINE(SMARTCARD)
AC_DEFINE(USE_OPENSC)
SCARD_MSG="yes, using OpenSC"
fi
]
)
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"

2
scard-opensc.c
View File

@ -173,7 +173,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
r = sc_prkey_op_init(rsa, &key_obj); r = sc_prkey_op_init(rsa, &key_obj);
if (r) if (r)
return -1; return -1;
r = sc_pkcs15_decipher(p15card, key_obj, from, flen, to, flen); r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen);
sc_unlock(card); sc_unlock(card);
if (r < 0) { if (r < 0) {
error("sc_pkcs15_decipher() failed: %s", sc_strerror(r)); error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));