- markus@cvs.openbsd.org 2002/06/05 21:55:44
[authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
ssh-add -t life, Set lifetime (in seconds) when adding identities;
ok provos@
diff --git a/ChangeLog b/ChangeLog
index d150595..721b449 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -117,6 +117,10 @@
- markus@cvs.openbsd.org 2002/06/05 20:56:39
[ssh-add.c]
add -x/-X to usage
+ - markus@cvs.openbsd.org 2002/06/05 21:55:44
+ [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
+ ssh-add -t life, Set lifetime (in seconds) when adding identities;
+ ok provos@
20020604
- (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
@@ -801,4 +805,4 @@
- (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2175 2002/06/06 21:53:11 mouring Exp $
+$Id: ChangeLog,v 1.2176 2002/06/06 21:54:57 mouring Exp $
diff --git a/authfd.c b/authfd.c
index c9c22d4..0f84e32 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.50 2002/06/05 19:57:12 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.51 2002/06/05 21:55:44 markus Exp $");
#include <openssl/evp.h>
@@ -552,6 +552,41 @@
}
int
+ssh_lifetime_identity(AuthenticationConnection *auth, Key *key, u_int life)
+{
+ Buffer msg;
+ int type;
+ u_char *blob;
+ u_int blen;
+
+ buffer_init(&msg);
+
+ if (key->type == KEY_RSA1) {
+ buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY1);
+ buffer_put_int(&msg, life);
+ buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+ buffer_put_bignum(&msg, key->rsa->e);
+ buffer_put_bignum(&msg, key->rsa->n);
+ } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
+ key_to_blob(key, &blob, &blen);
+ buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY);
+ buffer_put_int(&msg, life);
+ buffer_put_string(&msg, blob, blen);
+ xfree(blob);
+ } else {
+ buffer_free(&msg);
+ return 0;
+ }
+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
+ buffer_free(&msg);
+ return 0;
+ }
+ type = buffer_get_char(&msg);
+ buffer_free(&msg);
+ return decode_reply(type);
+}
+
+int
ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
{
Buffer msg;
diff --git a/authfd.h b/authfd.h
index b075cfa..263e4b9 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.25 2002/06/05 19:57:12 markus Exp $ */
+/* $OpenBSD: authfd.h,v 1.26 2002/06/05 21:55:44 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,6 +46,10 @@
#define SSH_AGENTC_LOCK 22
#define SSH_AGENTC_UNLOCK 23
+/* set key lifetime */
+#define SSH_AGENTC_LIFETIME_IDENTITY1 24
+#define SSH_AGENTC_LIFETIME_IDENTITY 25
+
/* extended failure messages */
#define SSH2_AGENT_FAILURE 30
@@ -69,6 +73,7 @@
Key *ssh_get_first_identity(AuthenticationConnection *, char **, int);
Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
+int ssh_lifetime_identity(AuthenticationConnection *, Key *, u_int);
int ssh_remove_identity(AuthenticationConnection *, Key *);
int ssh_remove_all_identities(AuthenticationConnection *, int);
int ssh_lock_agent(AuthenticationConnection *, int, const char *);
diff --git a/ssh-add.1 b/ssh-add.1
index 3f46277..350d103 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-add.1,v 1.32 2002/06/05 19:57:12 markus Exp $
+.\" $OpenBSD: ssh-add.1,v 1.33 2002/06/05 21:55:44 markus Exp $
.\"
.\" -*- nroff -*-
.\"
@@ -46,6 +46,7 @@
.Sh SYNOPSIS
.Nm ssh-add
.Op Fl lLdDxX
+.Op Fl t Ar life
.Op Ar
.Nm ssh-add
.Fl s Ar reader
@@ -87,6 +88,9 @@
Lock the agent with a password.
.It Fl X
Unlock the agent.
+.It Fl t Ar life
+Set a maximum lifetime when adding identities to an agent.
+The lifetime is specified in seconds.
.It Fl s Ar reader
Add key in smartcard
.Ar reader .
diff --git a/ssh-add.c b/ssh-add.c
index 315d940..e4aa8a5 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.55 2002/06/05 20:56:39 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.56 2002/06/05 21:55:44 markus Exp $");
#include <openssl/evp.h>
@@ -66,6 +66,8 @@
NULL
};
+/* Default lifetime (0 == forever) */
+static u_int lifetime = 0;
/* we keep a cache of one passphrases */
static char *pass = NULL;
@@ -167,6 +169,18 @@
} else
fprintf(stderr, "Could not add identity: %s\n", filename);
+ if (ret == 0 && lifetime != 0) {
+ if (ssh_lifetime_identity(ac, private, lifetime)) {
+ fprintf(stderr,
+ "Lifetime set to %d seconds for: %s (%s)\n",
+ lifetime, filename, comment);
+ } else {
+ fprintf(stderr,
+ "Could not set lifetime for identity: %s\n",
+ filename);
+ }
+ }
+
xfree(comment);
key_free(private);
@@ -280,6 +294,7 @@
fprintf(stderr, " -D Delete all identities.\n");
fprintf(stderr, " -x Lock agent.\n");
fprintf(stderr, " -x Unlock agent.\n");
+ fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
#ifdef SMARTCARD
fprintf(stderr, " -s reader Add key in smartcard reader.\n");
fprintf(stderr, " -e reader Remove key in smartcard reader.\n");
@@ -307,7 +322,7 @@
fprintf(stderr, "Could not open a connection to your authentication agent.\n");
exit(2);
}
- while ((ch = getopt(argc, argv, "lLdDxXe:s:")) != -1) {
+ while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) {
switch (ch) {
case 'l':
case 'L':
@@ -336,6 +351,9 @@
deleting = 1;
sc_reader_id = optarg;
break;
+ case 't':
+ lifetime = atoi(optarg);
+ break;
default:
usage();
ret = 1;
diff --git a/ssh-agent.c b/ssh-agent.c
index d9567af..56db292 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
#include "includes.h"
#include "openbsd-compat/fake-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.88 2002/06/05 19:57:12 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.89 2002/06/05 21:55:44 markus Exp $");
#include <openssl/evp.h>
#include <openssl/md5.h>
@@ -76,6 +76,7 @@
TAILQ_ENTRY(identity) next;
Key *key;
char *comment;
+ u_int death;
} Identity;
typedef struct {
@@ -124,6 +125,14 @@
return &idtable[version];
}
+static void
+free_identity(Identity *id)
+{
+ key_free(id->key);
+ xfree(id->comment);
+ xfree(id);
+}
+
/* return matching private key for given public key */
static Identity *
lookup_identity(Key *key, int version)
@@ -138,14 +147,6 @@
return (NULL);
}
-static void
-free_identity(Identity *id)
-{
- key_free(id->key);
- xfree(id->comment);
- xfree(id);
-}
-
/* send list of supported public keys to 'client' */
static void
process_request_identities(SocketEntry *e, int version)
@@ -368,6 +369,27 @@
}
static void
+reaper(void)
+{
+ Idtab *tab;
+ Identity *id, *nxt;
+ int version;
+ u_int now = time(NULL);
+
+ for (version = 1; version < 3; version++) {
+ tab = idtab_lookup(version);
+ for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
+ nxt = TAILQ_NEXT(id, next);
+ if (id->death != 0 && now >= id->death) {
+ TAILQ_REMOVE(&tab->idlist, id, next);
+ free_identity(id);
+ tab->nentries--;
+ }
+ }
+ }
+}
+
+static void
process_add_identity(SocketEntry *e, int version)
{
Key *k = NULL;
@@ -433,6 +455,7 @@
Identity *id = xmalloc(sizeof(Identity));
id->key = k;
id->comment = comment;
+ id->death = 0;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
/* Increment the number of identities. */
tab->nentries++;
@@ -446,6 +469,43 @@
success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}
+static void
+process_lifetime_identity(SocketEntry *e, int version)
+{
+ Key *key = NULL;
+ u_char *blob;
+ u_int blen, bits, death;
+ int success = 0;
+
+ death = time(NULL) + buffer_get_int(&e->request);
+
+ switch (version) {
+ case 1:
+ key = key_new(KEY_RSA1);
+ bits = buffer_get_int(&e->request);
+ buffer_get_bignum(&e->request, key->rsa->e);
+ buffer_get_bignum(&e->request, key->rsa->n);
+
+ break;
+ case 2:
+ blob = buffer_get_string(&e->request, &blen);
+ key = key_from_blob(blob, blen);
+ xfree(blob);
+ break;
+ }
+ if (key != NULL) {
+ Identity *id = lookup_identity(key, version);
+ if (id != NULL && id->death == 0) {
+ id->death = death;
+ success = 1;
+ }
+ key_free(key);
+ }
+ buffer_put_int(&e->output, 1);
+ buffer_put_char(&e->output,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
/* XXX todo: encrypt sensitive data with passphrase */
static void
process_lock_agent(SocketEntry *e, int lock)
@@ -517,6 +577,7 @@
id = xmalloc(sizeof(Identity));
id->key = k;
id->comment = xstrdup("smartcard key");
+ id->death = 0;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
tab->nentries++;
success = 1;
@@ -580,6 +641,10 @@
u_int msg_len;
u_int type;
u_char *cp;
+
+ /* kill dead keys */
+ reaper();
+
if (buffer_len(&e->input) < 5)
return; /* Incomplete message. */
cp = buffer_ptr(&e->input);
@@ -642,6 +707,9 @@
case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
process_remove_all_identities(e, 1);
break;
+ case SSH_AGENTC_LIFETIME_IDENTITY1:
+ process_lifetime_identity(e, 1);
+ break;
/* ssh2 */
case SSH2_AGENTC_SIGN_REQUEST:
process_sign_request2(e);
@@ -658,6 +726,9 @@
case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
process_remove_all_identities(e, 2);
break;
+ case SSH_AGENTC_LIFETIME_IDENTITY:
+ process_lifetime_identity(e, 2);
+ break;
#ifdef SMARTCARD
case SSH_AGENTC_ADD_SMARTCARD_KEY:
process_add_smartcard_key(e);