From d94f20d28e9e966576302cd951776401c2856df6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 11 Jun 2003 22:06:33 +1000 Subject: [PATCH] - djm@cvs.openbsd.org 2003/06/11 11:18:38 [authfd.c authfd.h ssh-add.c ssh-agent.c] make agent constraints (lifetime, confirm) work with smartcard keys; ok markus@ --- ChangeLog | 6 +++++- authfd.c | 27 ++++++++++++++++++++++----- authfd.h | 6 ++++-- ssh-add.c | 4 ++-- ssh-agent.c | 25 +++++++++++++++++++++---- 5 files changed, 54 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index fab1da44b..fc17be0ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,10 @@ - jakob@cvs.openbsd.org 2003/06/11 10:18:47 [dns.c] sync with check_host_key() change + - djm@cvs.openbsd.org 2003/06/11 11:18:38 + [authfd.c authfd.h ssh-add.c ssh-agent.c] + make agent constraints (lifetime, confirm) work with smartcard keys; + ok markus@ 20030609 @@ -502,4 +506,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2796 2003/06/11 12:05:45 djm Exp $ +$Id: ChangeLog,v 1.2797 2003/06/11 12:06:33 djm Exp $ diff --git a/authfd.c b/authfd.c index 7e96269a4..368544b17 100644 --- a/authfd.c +++ b/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.59 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.60 2003/06/11 11:18:38 djm Exp $"); #include @@ -589,16 +589,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) } int -ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin) +ssh_update_card(AuthenticationConnection *auth, int add, + const char *reader_id, const char *pin, u_int life, u_int confirm) { Buffer msg; - int type; + int type, constrained = (life || confirm); + + if (add) { + type = constrained ? + SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED : + SSH_AGENTC_ADD_SMARTCARD_KEY; + } else + type = SSH_AGENTC_REMOVE_SMARTCARD_KEY; buffer_init(&msg); - buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY : - SSH_AGENTC_REMOVE_SMARTCARD_KEY); + buffer_put_char(&msg, type); buffer_put_cstring(&msg, reader_id); buffer_put_cstring(&msg, pin); + + if (constrained) { + if (life != 0) { + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); + buffer_put_int(&msg, life); + } + if (confirm != 0) + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); + } + if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); return 0; diff --git a/authfd.h b/authfd.h index 2a8751ec1..74b825c51 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $ */ +/* $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -49,6 +49,7 @@ /* add key with constraints */ #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 +#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 #define SSH_AGENT_CONSTRAIN_LIFETIME 1 #define SSH_AGENT_CONSTRAIN_CONFIRM 2 @@ -82,7 +83,8 @@ int ssh_add_identity_constrained(AuthenticationConnection *, Key *, int ssh_remove_identity(AuthenticationConnection *, Key *); int ssh_remove_all_identities(AuthenticationConnection *, int); int ssh_lock_agent(AuthenticationConnection *, int, const char *); -int ssh_update_card(AuthenticationConnection *, int, const char *, const char *); +int ssh_update_card(AuthenticationConnection *, int, const char *, + const char *, u_int, u_int); int ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], diff --git a/ssh-add.c b/ssh-add.c index 9adec3094..9d14a3649 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.67 2003/06/11 11:18:38 djm Exp $"); #include @@ -201,7 +201,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) if (pin == NULL) return -1; - if (ssh_update_card(ac, add, id, pin)) { + if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) { fprintf(stderr, "Card %s: %s\n", add ? "added" : "removed", id); ret = 0; diff --git a/ssh-agent.c b/ssh-agent.c index fbd41834e..61ea34580 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.109 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.110 2003/06/11 11:18:38 djm Exp $"); #include #include @@ -580,13 +580,29 @@ static void process_add_smartcard_key (SocketEntry *e) { char *sc_reader_id = NULL, *pin; - int i, version, success = 0; + int i, version, success = 0, death = 0, confirm = 0; Key **keys, *k; Identity *id; Idtab *tab; sc_reader_id = buffer_get_string(&e->request, NULL); pin = buffer_get_string(&e->request, NULL); + + while (buffer_len(&e->request)) { + switch (buffer_get_char(&e->request)) { + case SSH_AGENT_CONSTRAIN_LIFETIME: + death = time(NULL) + buffer_get_int(&e->request); + break; + case SSH_AGENT_CONSTRAIN_CONFIRM: + confirm = 1; + break; + default: + break; + } + } + if (lifetime && !death) + death = time(NULL) + lifetime; + keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); @@ -603,8 +619,8 @@ process_add_smartcard_key (SocketEntry *e) id = xmalloc(sizeof(Identity)); id->key = k; id->comment = xstrdup("smartcard key"); - id->death = 0; - id->confirm = 0; + id->death = death; + id->confirm = confirm; TAILQ_INSERT_TAIL(&tab->idlist, id, next); tab->nentries++; success = 1; @@ -748,6 +764,7 @@ process_message(SocketEntry *e) break; #ifdef SMARTCARD case SSH_AGENTC_ADD_SMARTCARD_KEY: + case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED: process_add_smartcard_key(e); break; case SSH_AGENTC_REMOVE_SMARTCARD_KEY: