diff options
author | Damien Miller <djm@mindrot.org> | 2002-04-23 22:48:46 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2002-04-23 22:48:46 +1000 |
commit | f6195f2be82cae07660db8f7c3039567f37ffa74 (patch) | |
tree | 5acf61fca1ea4bc07f5aa180feb78a0724305116 | |
parent | 654a4ef9699c7e396626abd23d725e8534f953c1 (diff) |
- (djm) Applied OpenSC smartcard updates from Markus &
Antti Tapaninen <aet@cc.hut.fi>
-rw-r--r-- | README.smartcard | 60 | ||||
-rw-r--r-- | configure.ac | 45 | ||||
-rw-r--r-- | scard-opensc.c | 2 |
3 files changed, 52 insertions, 55 deletions
diff --git a/README.smartcard b/README.smartcard index 3017452c..29bec8dc 100644 --- a/README.smartcard +++ b/README.smartcard @@ -1,31 +1,23 @@ How to use smartcards with OpenSSH? -OpenSSH contains experimental support for authentication using -Cyberflex smartcards and TODOS card readers, in addition to the cards with -PKCS #15 structure supported by OpenSC. +OpenSSH contains experimental support for authentication using Cyberflex +smartcards and TODOS card readers, in addition to the cards with PKCS#15 +structure supported by OpenSC. -WARNING: Smartcard support is still in development. Keyfile formats, etc -are still subject to change. +WARNING: Smartcard support is still in development. +Keyfile formats, etc are still subject to change. -To enable this you need to: +To enable sectok support: -(1) install sectok or OpenSC +(1) install sectok: - Sources are instructions are available from + Sources and instructions are available from http://www.citi.umich.edu/projects/smartcard/sectok.html - or - - http://www.opensc.org/ - -(2) enable SMARTCARD support in OpenSSH: +(2) enable sectok support in OpenSSH: $ ./configure --with-sectok[=/path/to/libsectok] [options] - or - - $ ./configure --with-opensc[=/path/to/opensc] [options] - (3) load the Java Cardlet to the Cyberflex card: $ sectok @@ -35,12 +27,11 @@ To enable this you need to: (4) load a RSA key to the card: - please don't use your production RSA keys, since + Please don't use your production RSA keys, since with the current version of sectok/ssh-keygen - the private key file is still readable + the private key file is still readable. - $ ssh-keygen -f /path/to/rsakey -U 1 - (where 1 is the reader number, you can also try 0) + $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0> In spite of the name, this does not generate a key. It just loads an already existing key on to the card. @@ -65,13 +56,30 @@ To enable this you need to: wrong passphrase three times in a row, you will destroy your card. -(6) tell the ssh client to use the card reader: +To enable OpenSC support: + +(1) install OpenSC: + + Sources and instructions are available from + http://www.opensc.org/ + +(2) enable OpenSC support in OpenSSH: + + $ ./configure --with-opensc[=/path/to/opensc] [options] + +(3) load a RSA key to the card: + + Not supported yet. + +Common smartcard options: + +(1) tell the ssh client to use the card reader: - $ ssh -I 1 otherhost + $ ssh -I <readernum, eg. 0> otherhost -(7) or tell the agent (don't forget to restart) to use the smartcard: +(2) or tell the agent (don't forget to restart) to use the smartcard: - $ ssh-add -s 1 + $ ssh-add -s <readernum, eg. 0> -markus, -Tue Jul 17 23:54:51 CEST 2001 +Sat Apr 13 13:48:10 EEST 2002 diff --git a/configure.ac b/configure.ac index 9c4d7f67..d6824c31 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.47 2002/04/23 10:23:00 djm Exp $ +# $Id: configure.ac,v 1.48 2002/04/23 12:48:46 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1719,33 +1719,22 @@ AC_ARG_WITH(sectok, # Check whether user wants OpenSC support AC_ARG_WITH(opensc, - [ --with-opensc Enable smartcard support using OpenSC], - [ - if test "x$withval" != "xno" ; then - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}" - LDFLAGS="$LDFLAGS -L${withval}" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}" - fi - fi - AC_CHECK_HEADERS(opensc/pkcs15.h) - if test "$ac_cv_header_opensc_pkcs15_h" != yes; then - AC_MSG_ERROR(Can't find opensc/pkcs15.h) - fi - AC_CHECK_LIB(opensc, sc_pkcs15_bind) - if test "$ac_cv_lib_opensc_sc_pkcs15_bind" != yes; then - AC_MSG_ERROR(Can't find libopensc) - fi - AC_DEFINE(SMARTCARD) - AC_DEFINE(USE_OPENSC) - SCARD_MSG="yes, using OpenSC" - fi - ] -) + AC_HELP_STRING([--with-opensc=PFX], + [Enable smartcard support using OpenSC]), + opensc_config_prefix="$withval", opensc_config_prefix="") +if test x$opensc_config_prefix != x ; then + OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config + AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) + if test "$OPENSC_CONFIG" != "no"; then + LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` + LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` + CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" + LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_OPENSC) + SCARD_MSG="yes, using OpenSC" + fi +fi # Check whether user wants Kerberos 5 support KRB5_MSG="no" diff --git a/scard-opensc.c b/scard-opensc.c index 6b80d1e6..dd21de39 100644 --- a/scard-opensc.c +++ b/scard-opensc.c @@ -173,7 +173,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, r = sc_prkey_op_init(rsa, &key_obj); if (r) return -1; - r = sc_pkcs15_decipher(p15card, key_obj, from, flen, to, flen); + r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen); sc_unlock(card); if (r < 0) { error("sc_pkcs15_decipher() failed: %s", sc_strerror(r)); |