a small patch to make openssh ask for a pin. and a README.

this patch is a hack, not production quality, and will not be accepted by openssh. But a clean solution requires changes in openssh, and that will not be easy. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1810 c6295689-39f2-0310-b995-f0e70906c6a9
2004-06-30 21:37:03 +00:00 · 2004-06-30 21:37:03 +00:00 · 1e371c92f6
parent 07ff3af231
commit 1e371c92f6
2 changed files with 138 additions and 0 deletions
--- a/src/openssh/README
+++ b/src/openssh/README
@ -0,0 +1,7 @@
+ask-for-pin.diff
+	SSH can't ask for the pin of a smart card in version 3.8.1p1.
+	Fixing this is a major task and requires some kind of redesign
+	in openssh as far as we understand, so please have patience.
+
+	Meanwhile this patch can add the desired functionality, but
+	it is a crude hack, not meant to be added to openssh releases.
--- a/src/openssh/ask-for-pin.diff
+++ b/src/openssh/ask-for-pin.diff
@ -0,0 +1,131 @@
+Index: scard-opensc.c
+===================================================================
+RCS file: /cvs/openssh/scard-opensc.c,v
+retrieving revision 1.12
+diff -u -r1.12 scard-opensc.c
+--- scard-opensc.c	25 Aug 2003 00:58:26 -0000	1.12
+++ scard-opensc.c	27 Aug 2003 11:42:02 -0000
+@@ -38,6 +38,8 @@
+ #include "readpass.h"
+ #include "scard.h"
+ 
+int ask_for_pin=0;
+
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+@@ -119,6 +121,7 @@
+ 	struct sc_pkcs15_prkey_info *key;
+ 	struct sc_pkcs15_object *pin_obj;
+ 	struct sc_pkcs15_pin_info *pin;
+	char *passphrase = NULL;
+ 
+ 	priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
+ 	if (priv == NULL)
+@@ -156,24 +159,47 @@
+ 		goto err;
+ 	}
+ 	pin = pin_obj->data;
+
+	if (sc_pin)
+		passphrase = sc_pin;
+	else if (ask_for_pin) {
+		/* we need a pin but don't have one => ask for the pin */
+		char prompt[64];
+
+		snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
+			key_obj->label ? key_obj->label : "smartcard key");
+		passphrase = read_passphrase(prompt, 0);
+		if (!passphrase || !strcmp(passphrase, ""))
+			goto err;
+	} else 
+		/* no pin => error */
+		goto err;
+
+ 	r = sc_lock(card);
+ 	if (r) {
+ 		error("Unable to lock smartcard: %s", sc_strerror(r));
+ 		goto err;
+ 	}
+-	if (sc_pin != NULL) {
+-		r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
+-					 strlen(sc_pin));
+-		if (r) {
+-			sc_unlock(card);
+-			error("PIN code verification failed: %s",
+-			      sc_strerror(r));
+-			goto err;
+-		}
+	r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
+				 strlen(passphrase));
+	if (r) {
+		sc_unlock(card);
+		error("PIN code verification failed: %s",
+		      sc_strerror(r));
+		goto err;
+ 	}
+
+ 	*key_obj_out = key_obj;
+	if (!sc_pin) {
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
+ 	return 0;
+ err:
+	if (!sc_pin && passphrase) {
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
+ 	sc_close();
+ 	return -1;
+ }
+Index: scard.c
+===================================================================
+RCS file: /cvs/openssh/scard.c,v
+retrieving revision 1.27
+diff -u -r1.27 scard.c
+--- scard.c	18 Jun 2003 10:28:40 -0000	1.27
+++ scard.c	27 Aug 2003 11:42:02 -0000
+@@ -35,6 +35,9 @@
+ #include "readpass.h"
+ #include "scard.h"
+ 
+/* currently unused */
+int ask_for_pin = 0;
+
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+Index: scard.h
+===================================================================
+RCS file: /cvs/openssh/scard.h,v
+retrieving revision 1.10
+diff -u -r1.10 scard.h
+--- scard.h	18 Jun 2003 10:28:40 -0000	1.10
+++ scard.h	27 Aug 2003 11:42:02 -0000
+@@ -33,6 +33,8 @@
+ #define SCARD_ERROR_NOCARD	-2
+ #define SCARD_ERROR_APPLET	-3
+ 
+extern int ask_for_pin;
+
+ Key	**sc_get_keys(const char *, const char *);
+ void	 sc_close(void);
+ int	 sc_put_key(Key *, const char *);
+Index: ssh.c
+===================================================================
+RCS file: /cvs/openssh/ssh.c,v
+retrieving revision 1.180
+diff -u -r1.180 ssh.c
+--- ssh.c	21 Aug 2003 23:34:41 -0000	1.180
+++ ssh.c	27 Aug 2003 11:42:02 -0000
+@@ -1155,6 +1155,9 @@
+ #ifdef SMARTCARD
+ 	Key **keys;
+ 
+	if (!options.batch_mode)
+		ask_for_pin = 1;
+
+ 	if (options.smartcard_device != NULL &&
+ 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ 	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {