- (djm) Applied OpenSC smartcard updates from Markus &

Antti Tapaninen <aet@cc.hut.fi>

README.smartcard

@@ -1,31 +1,23 @@
 How to use smartcards with OpenSSH?
 
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers, in addition to the cards with
-PKCS #15 structure supported by OpenSC. 
+OpenSSH contains experimental support for authentication using Cyberflex
+smartcards and TODOS card readers, in addition to the cards with PKCS#15
+structure supported by OpenSC.
 
-WARNING: Smartcard support is still in development. Keyfile formats, etc
-are still subject to change.
+WARNING: Smartcard support is still in development.
+Keyfile formats, etc are still subject to change.
 
-To enable this you need to:
+To enable sectok support:
 
-(1) install sectok or OpenSC
+(1) install sectok:
 
-	Sources are instructions are available from
+	Sources and instructions are available from
 	http://www.citi.umich.edu/projects/smartcard/sectok.html
 
-	or
-
-	http://www.opensc.org/
-
-(2) enable SMARTCARD support in OpenSSH:
+(2) enable sectok support in OpenSSH:
 
 	$ ./configure --with-sectok[=/path/to/libsectok] [options]
 
-	or
-
-	$ ./configure --with-opensc[=/path/to/opensc] [options]
-
 (3) load the Java Cardlet to the Cyberflex card:
 
 	$ sectok
@@ -35,12 +27,11 @@ To enable this you need to:
 
 (4) load a RSA key to the card:
 
-	please don't use your production RSA keys, since
+	Please don't use your production RSA keys, since
 	with the current version of sectok/ssh-keygen
-	the private key file is still readable
+	the private key file is still readable.
 
-	$ ssh-keygen -f /path/to/rsakey -U 1
-	(where 1 is the reader number, you can also try 0)
+	$ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
 
 	In spite of the name, this does not generate a key.
 	It just loads an already existing key on to the card.
@@ -65,13 +56,30 @@ To enable this you need to:
 	wrong passphrase three times in a row, you will
 	destroy your card.
 
-(6) tell the ssh client to use the card reader:
+To enable OpenSC support:
 
-	$ ssh -I 1 otherhost
+(1) install OpenSC:
 
-(7) or tell the agent (don't forget to restart) to use the smartcard:
+	Sources and instructions are available from
+	http://www.opensc.org/
 
-	$ ssh-add -s 1
+(2) enable OpenSC support in OpenSSH:
+
+	$ ./configure --with-opensc[=/path/to/opensc] [options]
+
+(3) load a RSA key to the card:
+
+	Not supported yet.
+
+Common smartcard options:
+
+(1) tell the ssh client to use the card reader:
+
+	$ ssh -I <readernum, eg. 0> otherhost
+
+(2) or tell the agent (don't forget to restart) to use the smartcard:
+
+	$ ssh-add -s <readernum, eg. 0>
 
 -markus,
-Tue Jul 17 23:54:51 CEST 2001
+Sat Apr 13 13:48:10 EEST 2002

configure.ac

@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.47 2002/04/23 10:23:00 djm Exp $
+# $Id: configure.ac,v 1.48 2002/04/23 12:48:46 djm Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -1719,33 +1719,22 @@ AC_ARG_WITH(sectok,
 
 # Check whether user wants OpenSC support
 AC_ARG_WITH(opensc,
-	[  --with-opensc           Enable smartcard support using OpenSC],
-	[
-		if test "x$withval" != "xno" ; then
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}"
-				LDFLAGS="$LDFLAGS -L${withval}"
-				if test ! -z "$need_dash_r" ; then
-					LDFLAGS="$LDFLAGS -R${withval}"
-				fi
-				if test ! -z "$blibpath" ; then
-					blibpath="$blibpath:${withval}"
-				fi
-			fi
-			AC_CHECK_HEADERS(opensc/pkcs15.h)
-			if test "$ac_cv_header_opensc_pkcs15_h" != yes; then
-				AC_MSG_ERROR(Can't find opensc/pkcs15.h)
-			fi
-			AC_CHECK_LIB(opensc, sc_pkcs15_bind)
-			if test "$ac_cv_lib_opensc_sc_pkcs15_bind" != yes; then
-				AC_MSG_ERROR(Can't find libopensc)
-			fi
-			AC_DEFINE(SMARTCARD)
-			AC_DEFINE(USE_OPENSC)
-			SCARD_MSG="yes, using OpenSC" 
-		fi
-	]
-)
+	AC_HELP_STRING([--with-opensc=PFX],
+		       [Enable smartcard support using OpenSC]),
+	opensc_config_prefix="$withval", opensc_config_prefix="")
+if test x$opensc_config_prefix != x ; then
+  OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
+  AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
+  if test "$OPENSC_CONFIG" != "no"; then
+    LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
+    LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
+    CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
+    LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+    AC_DEFINE(SMARTCARD)
+    AC_DEFINE(USE_OPENSC)
+    SCARD_MSG="yes, using OpenSC" 
+  fi
+fi
 
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no" 

scard-opensc.c

@@ -173,7 +173,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
 	r = sc_prkey_op_init(rsa, &key_obj);
 	if (r)
 		return -1;
-	r = sc_pkcs15_decipher(p15card, key_obj, from, flen, to, flen);
+	r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen);
 	sc_unlock(card);
 	if (r < 0) {
 		error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));