summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/README.smartcard52
-rw-r--r--usr.bin/ssh/authfd.c5
-rw-r--r--usr.bin/ssh/authfd.h4
-rw-r--r--usr.bin/ssh/scard/Ssh.bin.uu27
-rw-r--r--usr.bin/ssh/scard/Ssh.java59
-rw-r--r--usr.bin/ssh/ssh-add.c10
-rw-r--r--usr.bin/ssh/ssh-agent.c14
-rw-r--r--usr.bin/ssh/ssh.c4
8 files changed, 98 insertions, 77 deletions
diff --git a/usr.bin/ssh/README.smartcard b/usr.bin/ssh/README.smartcard
index 499dc8ed620..49c0cc5f031 100644
--- a/usr.bin/ssh/README.smartcard
+++ b/usr.bin/ssh/README.smartcard
@@ -4,28 +4,36 @@ OpenSSH contains experimental support for authentication using
Cyberflex smartcards and TODOS card readers. To enable this you
need to:
-(1) install sectok
-
- $ cd /usr/src/lib/libsectok
- $ make obj depend all install includes
- $ cd /usr/src/usr.bin/sectok
- $ make obj depend all install
-
-(2) enable SMARTCARD support in OpenSSH:
+(1) enable SMARTCARD support in OpenSSH:
$ vi /usr/src/usr.bin/ssh/Makefile.inc
and uncomment
CFLAGS+= -DSMARTCARD
LDADD+= -lsectok
-(3) load the Java Cardlet to the Cyberflex card:
+(2) load the Java Cardlet to the Cyberflex card and set card passphrase:
$ sectok
sectok> login -d
+ sectok> junload Ssh.bin
sectok> jload /usr/libdata/ssh/Ssh.bin
+ sectok> setpass
+ Enter new AUT0 passphrase:
+ Re-enter passphrase:
sectok> quit
-(4) load a RSA key to the card:
+ Do not forget the passphrase. There is no way to
+ recover if you do.
+
+ IMPORTANT WARNING: If you attempt to login with the
+ wrong passphrase three times in a row, you will
+ destroy your card.
+
+ If you have loaded an older version of Ssh.bin on
+ your card previously, you must unload it and load
+ the new one.
+
+(3) load a RSA key to the card:
please don't use your production RSA keys, since
with the current version of sectok/ssh-keygen
@@ -37,31 +45,11 @@ need to:
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
-(5) optional:
-
- Change the card password so that only you can
- read the private key:
-
- $ sectok
- sectok> login -d
- sectok> setpass
- sectok> quit
-
- This prevents reading the key but not use of the
- key by the card applet.
-
- Do not forget the passphrase. There is no way to
- recover if you do.
-
- IMPORTANT WARNING: If you attempt to login with the
- wrong passphrase three times in a row, you will
- destroy your card.
-
-(6) tell the ssh client to use the card reader:
+(4) tell the ssh client to use the card reader:
$ ssh -I 1 otherhost
-(7) or tell the agent (don't forget to restart) to use the smartcard:
+(5) or tell the agent (don't forget to restart) to use the smartcard:
$ ssh-add -s 1
diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c
index fa764358fac..f3050d64db2 100644
--- a/usr.bin/ssh/authfd.c
+++ b/usr.bin/ssh/authfd.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.48 2002/02/24 19:14:59 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.49 2002/03/21 22:44:05 rees Exp $");
#include <openssl/evp.h>
@@ -532,7 +532,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
}
int
-ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id)
+ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
{
Buffer msg;
int type;
@@ -541,6 +541,7 @@ ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id)
buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY :
SSH_AGENTC_REMOVE_SMARTCARD_KEY);
buffer_put_cstring(&msg, reader_id);
+ buffer_put_cstring(&msg, pin);
if (ssh_request_reply(auth, &msg, &msg) == 0) {
buffer_free(&msg);
return 0;
diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h
index 0f2ca7a2ecf..e8a0ec88f48 100644
--- a/usr.bin/ssh/authfd.h
+++ b/usr.bin/ssh/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.23 2002/03/04 17:27:39 stevesk Exp $ */
+/* $OpenBSD: authfd.h,v 1.24 2002/03/21 22:44:05 rees Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -67,7 +67,7 @@ Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
int ssh_remove_identity(AuthenticationConnection *, Key *);
int ssh_remove_all_identities(AuthenticationConnection *, int);
-int ssh_update_card(AuthenticationConnection *, int, const char *);
+int ssh_update_card(AuthenticationConnection *, int, const char *, const char *);
int
ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
diff --git a/usr.bin/ssh/scard/Ssh.bin.uu b/usr.bin/ssh/scard/Ssh.bin.uu
index 1062e21d68c..ea3986a694a 100644
--- a/usr.bin/ssh/scard/Ssh.bin.uu
+++ b/usr.bin/ssh/scard/Ssh.bin.uu
@@ -1,16 +1,17 @@
begin 644 Ssh.bin
-M`P)!%P`501P`;``!`C@"`/Y@\`4`_J'P!0!!%T$;`?Z@\`4`01=!&@'^>/,!
-M`4$701P!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$7L`4`_F'3``!!%T$9
-M`?YATP4`_G/5"P7^8=,'`OZAT`$!_J#0$@1!%T$8`0```$$7!`$&`/Y@`;@`
-M`$$8\`H(`$$9\`H``$$:\@\``$$;\B$``$$<\A```/`&__(```0(`!8```9C
-M""T#"<(H+00$*"T%""A;`&19``#P$/_R`P(&`0#(```38`!!70!&$UP`1@09
-M":1+``D*D`!@`"@37`!&!!E6`````*(````$____P````*$````0````*@``
-M`"````"-````,````&H37`!&`QD(2@`)"FX`8``H$UP`1@<9"@#_/2!@`$L1
-M2@`)"F<`8``H$UP`'A-<`$8($1-<`$8(7@!0"!%@`%59"C\`8`!:*PIS:&``
-M6BL37`!&`P,*`(!@`%\K`PH`@&``55D37`!&`P<H$UP`1@0#*`,%8`!565D*
-M;0!@`"A9`/`"__(!`0$)``@```J0`&``*%D`\!/_\@$!`@D`#```8D$7+5\`
-M/"M9````\!+_]@$!`P$`&```$UP`'EX`,D4`#Q-<`!X*`,@)$%X`-P17L`7_
-M\@$!!`(`/```$U\``!-B_J$M7P`%70`*$V+^H"U?``]=`!038OYX+0H$`%\`
-<&5T`'@H$`&``(T4`"0IG`&``*!->`"U9````````
+M`P)!&P`801X`>``!`E@"`/Y@\`4`_J'P!0!!&T$=`?Z@\`4`01M!'`'^>/,!
+M`4$;01X!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$;L`4`_F'3``#^8=,%
+M`/ZAT`$!_J#0)P'^H],*`?ZCTPD`_G/5"P7^8=,'`OZAT`H`_J#0$@3^:-,@
+M`T$;`P`%`/Y@`<P``$$<\@\``$$=\B$``$$>\A```/`0__(%`@8!`0H``&``
+M0205!!D)I$L`"0J0`&``*!4$&58``````.P````%____P````.D````0````
+M,P```"````#'````,````(T````R````V!4#&0A*``D*;@!@`"@5!QD*`/\]
+M(6``1A)*``D*9P!@`"@*/P!@`$LK"1)@`$LK!6``4!P$#00#2@`.#01@`%5@
+M`%I@`"@37``>%0@2%0A>`%\($F``9%(`:`H_`&``2RL*<VA@`$LK8`!I"1`U
+M(14#`Q)@`&X<!`T$`TL`"P,28`!D4@`.#01@`%5@`%I@`"A2`"X5`PH$`&``
+M<RL#!6``9%(`'14#"@$"8`!S*P,%8`!D4@`,4@`)"FT`8``H60``\`+_\@$!
+M`0D`"```"I``8``H60#P$__R`0$""0`,``!B01LM7P`\*UD```#P$O_V`0$#
+M`0`8```37``>7@`R10`/$UP`'@H`R`D07@`W!%>P!?_R`0$$`@`\```37P``
+M$V+^H2U?``5=``H38OZ@+5\`#UT`%!-B_G@M"@0`7P`970`>"@0`8``C10`)
+/"F<`8``H$UX`+5D`````
`
end
diff --git a/usr.bin/ssh/scard/Ssh.java b/usr.bin/ssh/scard/Ssh.java
index 3692b9bbb4f..1f2ae58bb0e 100644
--- a/usr.bin/ssh/scard/Ssh.java
+++ b/usr.bin/ssh/scard/Ssh.java
@@ -1,4 +1,4 @@
-// $Id: Ssh.java,v 1.2 2001/07/30 20:08:14 rees Exp $
+// $Id: Ssh.java,v 1.3 2002/03/21 22:44:05 rees Exp $
//
// Ssh.java
// SSH / smartcard integration project, smartcard side
@@ -42,6 +42,9 @@ import javacardx.crypto.*;
public class Ssh extends javacard.framework.Applet
{
+ // Change this when the applet changes; hi byte is major, low byte is minor
+ static final short applet_version = (short)0x0102;
+
/* constants declaration */
// code of CLA byte in the command APDU header
static final byte Ssh_CLA =(byte)0x05;
@@ -50,20 +53,19 @@ public class Ssh extends javacard.framework.Applet
static final byte DECRYPT = (byte) 0x10;
static final byte GET_KEYLENGTH = (byte) 0x20;
static final byte GET_PUBKEY = (byte) 0x30;
+ static final byte GET_VERSION = (byte) 0x32;
static final byte GET_RESPONSE = (byte) 0xc0;
- /* instance variables declaration */
static final short keysize = 1024;
+ static final short root_fid = (short)0x3f00;
+ static final short privkey_fid = (short)0x0012;
+ static final short pubkey_fid = (short)(('s'<<8)|'h');
- //RSA_CRT_PrivateKey rsakey;
+ /* instance variables declaration */
AsymKey rsakey;
CyberflexFile file;
CyberflexOS os;
- byte buffer[];
-
- static byte[] keyHdr = {(byte)0xC2, (byte)0x01, (byte)0x05};
-
private Ssh()
{
file = new CyberflexFile();
@@ -98,7 +100,8 @@ public class Ssh extends javacard.framework.Applet
// APDU object carries a byte array (buffer) to
// transfer incoming and outgoing APDU header
// and data bytes between card and CAD
- buffer = apdu.getBuffer();
+ byte buffer[] = apdu.getBuffer();
+ short size, st;
// verify that if the applet can accept this
// APDU message
@@ -111,29 +114,47 @@ public class Ssh extends javacard.framework.Applet
if (buffer[ISO.OFFSET_CLA] != Ssh_CLA)
ISOException.throwIt(ISO.SW_CLA_NOT_SUPPORTED);
//decrypt (apdu);
- short size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
+ size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
if (apdu.setIncomingAndReceive() != size)
ISOException.throwIt (ISO.SW_WRONG_LENGTH);
+ // check access; depends on bit 2 (x/a)
+ file.selectFile(root_fid);
+ file.selectFile(privkey_fid);
+ st = os.checkAccess(ACL.EXECUTE);
+ if (st != ST.ACCESS_CLEARED) {
+ CyberflexAPDU.prepareSW1SW2(st);
+ ISOException.throwIt(CyberflexAPDU.getSW1SW2());
+ }
+
rsakey.cryptoUpdate (buffer, (short) ISO.OFFSET_CDATA, size,
buffer, (short) ISO.OFFSET_CDATA);
apdu.setOutgoingAndSend ((short) ISO.OFFSET_CDATA, size);
- return;
+ break;
case GET_PUBKEY:
- file.selectFile((short)(0x3f<<8)); // select root
- file.selectFile((short)(('s'<<8)|'h')); // select public key file
- os.readBinaryFile (buffer, (short)0, (short)0, (short)(keysize/8));
- apdu.setOutgoingAndSend((short)0, (short)(keysize/8));
- return;
+ file.selectFile(root_fid); // select root
+ file.selectFile(pubkey_fid); // select public key file
+ size = (short)(file.getFileSize() - 16);
+ st = os.readBinaryFile(buffer, (short)0, (short)0, size);
+ if (st == ST.SUCCESS)
+ apdu.setOutgoingAndSend((short)0, size);
+ else {
+ CyberflexAPDU.prepareSW1SW2(st);
+ ISOException.throwIt(CyberflexAPDU.getSW1SW2());
+ }
+ break;
case GET_KEYLENGTH:
- buffer[0] = (byte)((keysize >> 8) & 0xff);
- buffer[1] = (byte)(keysize & 0xff);
+ Util.setShort(buffer, (short)0, keysize);
+ apdu.setOutgoingAndSend ((short)0, (short)2);
+ break;
+ case GET_VERSION:
+ Util.setShort(buffer, (short)0, applet_version);
apdu.setOutgoingAndSend ((short)0, (short)2);
- return;
+ break;
case GET_RESPONSE:
- return;
+ break;
default:
ISOException.throwIt (ISO.SW_INS_NOT_SUPPORTED);
}
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index ce14e2e7a61..8a2e43e9173 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.52 2002/03/21 10:21:20 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.53 2002/03/21 22:44:05 rees Exp $");
#include <openssl/evp.h>
@@ -170,7 +170,13 @@ add_file(AuthenticationConnection *ac, const char *filename)
static int
update_card(AuthenticationConnection *ac, int add, const char *id)
{
- if (ssh_update_card(ac, add, id)) {
+ char *pin;
+
+ pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
+ if (pin == NULL)
+ return -1;
+
+ if (ssh_update_card(ac, add, id, pin)) {
fprintf(stderr, "Card %s: %s\n",
add ? "added" : "removed", id);
return 0;
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index 786f91c7b6f..5851b63619a 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c
@@ -35,7 +35,7 @@
#include "includes.h"
#include <sys/queue.h>
-RCSID("$OpenBSD: ssh-agent.c,v 1.82 2002/03/04 17:27:39 stevesk Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
#include <openssl/evp.h>
#include <openssl/md5.h>
@@ -445,12 +445,14 @@ process_add_smartcard_key (SocketEntry *e)
{
Idtab *tab;
Key *n = NULL, *k = NULL;
- char *sc_reader_id = NULL;
+ char *sc_reader_id = NULL, *pin;
int success = 0;
sc_reader_id = buffer_get_string(&e->input, NULL);
- k = sc_get_key(sc_reader_id);
+ pin = buffer_get_string(&e->input, NULL);
+ k = sc_get_key(sc_reader_id, pin);
xfree(sc_reader_id);
+ xfree(pin);
if (k == NULL) {
error("sc_get_pubkey failed");
@@ -496,11 +498,13 @@ process_remove_smartcard_key(SocketEntry *e)
{
Key *k = NULL;
int success = 0;
- char *sc_reader_id = NULL;
+ char *sc_reader_id = NULL, *pin;
sc_reader_id = buffer_get_string(&e->input, NULL);
- k = sc_get_key(sc_reader_id);
+ pin = buffer_get_string(&e->input, NULL);
+ k = sc_get_key(sc_reader_id, pin);
xfree(sc_reader_id);
+ xfree(pin);
if (k == NULL) {
error("sc_get_pubkey failed");
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index c35fa187d09..f5eeeb9b9b9 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -39,7 +39,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.165 2002/03/19 10:49:35 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -1173,7 +1173,7 @@ load_public_identity_files(void)
#ifdef SMARTCARD
if (options.smartcard_device != NULL &&
options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES &&
- (public = sc_get_key(options.smartcard_device)) != NULL ) {
+ (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) {
Key *new;
if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES)