summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2002-04-23 22:48:46 +1000
committerDamien Miller <djm@mindrot.org>2002-04-23 22:48:46 +1000
commitf6195f2be82cae07660db8f7c3039567f37ffa74 (patch)
tree5acf61fca1ea4bc07f5aa180feb78a0724305116
parent654a4ef9699c7e396626abd23d725e8534f953c1 (diff)
- (djm) Applied OpenSC smartcard updates from Markus &
Antti Tapaninen <aet@cc.hut.fi>
-rw-r--r--README.smartcard60
-rw-r--r--configure.ac45
-rw-r--r--scard-opensc.c2
3 files changed, 52 insertions, 55 deletions
diff --git a/README.smartcard b/README.smartcard
index 3017452c..29bec8dc 100644
--- a/README.smartcard
+++ b/README.smartcard
@@ -1,31 +1,23 @@
How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers, in addition to the cards with
-PKCS #15 structure supported by OpenSC.
+OpenSSH contains experimental support for authentication using Cyberflex
+smartcards and TODOS card readers, in addition to the cards with PKCS#15
+structure supported by OpenSC.
-WARNING: Smartcard support is still in development. Keyfile formats, etc
-are still subject to change.
+WARNING: Smartcard support is still in development.
+Keyfile formats, etc are still subject to change.
-To enable this you need to:
+To enable sectok support:
-(1) install sectok or OpenSC
+(1) install sectok:
- Sources are instructions are available from
+ Sources and instructions are available from
http://www.citi.umich.edu/projects/smartcard/sectok.html
- or
-
- http://www.opensc.org/
-
-(2) enable SMARTCARD support in OpenSSH:
+(2) enable sectok support in OpenSSH:
$ ./configure --with-sectok[=/path/to/libsectok] [options]
- or
-
- $ ./configure --with-opensc[=/path/to/opensc] [options]
-
(3) load the Java Cardlet to the Cyberflex card:
$ sectok
@@ -35,12 +27,11 @@ To enable this you need to:
(4) load a RSA key to the card:
- please don't use your production RSA keys, since
+ Please don't use your production RSA keys, since
with the current version of sectok/ssh-keygen
- the private key file is still readable
+ the private key file is still readable.
- $ ssh-keygen -f /path/to/rsakey -U 1
- (where 1 is the reader number, you can also try 0)
+ $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
In spite of the name, this does not generate a key.
It just loads an already existing key on to the card.
@@ -65,13 +56,30 @@ To enable this you need to:
wrong passphrase three times in a row, you will
destroy your card.
-(6) tell the ssh client to use the card reader:
+To enable OpenSC support:
+
+(1) install OpenSC:
+
+ Sources and instructions are available from
+ http://www.opensc.org/
+
+(2) enable OpenSC support in OpenSSH:
+
+ $ ./configure --with-opensc[=/path/to/opensc] [options]
+
+(3) load a RSA key to the card:
+
+ Not supported yet.
+
+Common smartcard options:
+
+(1) tell the ssh client to use the card reader:
- $ ssh -I 1 otherhost
+ $ ssh -I <readernum, eg. 0> otherhost
-(7) or tell the agent (don't forget to restart) to use the smartcard:
+(2) or tell the agent (don't forget to restart) to use the smartcard:
- $ ssh-add -s 1
+ $ ssh-add -s <readernum, eg. 0>
-markus,
-Tue Jul 17 23:54:51 CEST 2001
+Sat Apr 13 13:48:10 EEST 2002
diff --git a/configure.ac b/configure.ac
index 9c4d7f67..d6824c31 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.47 2002/04/23 10:23:00 djm Exp $
+# $Id: configure.ac,v 1.48 2002/04/23 12:48:46 djm Exp $
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@@ -1719,33 +1719,22 @@ AC_ARG_WITH(sectok,
# Check whether user wants OpenSC support
AC_ARG_WITH(opensc,
- [ --with-opensc Enable smartcard support using OpenSC],
- [
- if test "x$withval" != "xno" ; then
- if test "x$withval" != "xyes" ; then
- CPPFLAGS="$CPPFLAGS -I${withval}"
- LDFLAGS="$LDFLAGS -L${withval}"
- if test ! -z "$need_dash_r" ; then
- LDFLAGS="$LDFLAGS -R${withval}"
- fi
- if test ! -z "$blibpath" ; then
- blibpath="$blibpath:${withval}"
- fi
- fi
- AC_CHECK_HEADERS(opensc/pkcs15.h)
- if test "$ac_cv_header_opensc_pkcs15_h" != yes; then
- AC_MSG_ERROR(Can't find opensc/pkcs15.h)
- fi
- AC_CHECK_LIB(opensc, sc_pkcs15_bind)
- if test "$ac_cv_lib_opensc_sc_pkcs15_bind" != yes; then
- AC_MSG_ERROR(Can't find libopensc)
- fi
- AC_DEFINE(SMARTCARD)
- AC_DEFINE(USE_OPENSC)
- SCARD_MSG="yes, using OpenSC"
- fi
- ]
-)
+ AC_HELP_STRING([--with-opensc=PFX],
+ [Enable smartcard support using OpenSC]),
+ opensc_config_prefix="$withval", opensc_config_prefix="")
+if test x$opensc_config_prefix != x ; then
+ OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
+ AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
+ if test "$OPENSC_CONFIG" != "no"; then
+ LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
+ LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
+ CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
+ LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+ AC_DEFINE(SMARTCARD)
+ AC_DEFINE(USE_OPENSC)
+ SCARD_MSG="yes, using OpenSC"
+ fi
+fi
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
diff --git a/scard-opensc.c b/scard-opensc.c
index 6b80d1e6..dd21de39 100644
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -173,7 +173,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
r = sc_prkey_op_init(rsa, &key_obj);
if (r)
return -1;
- r = sc_pkcs15_decipher(p15card, key_obj, from, flen, to, flen);
+ r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen);
sc_unlock(card);
if (r < 0) {
error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));