Keychain Patch Try II

Will M. Farr farr at MIT.EDU
Tue Jan 6 13:30:37 EST 2004 

Sorry; here's the message I sent with the Keychain Patch yesterday.  I 
didn't realize that the list wouldn't extract the text parts of the 
message.  Enjoy.



Hey all,

Here's the patch to let SSH store passwords in the Mac OS X Keychain.  
I don't know whether you guys want to include it or not with the 
distribution; some people have said that since Keychain is not an open 
source product, it's not proper to put it in, while others think it's 
OK.  I'll leave it up to you; it's served its purpose to me.

The patch is against the 3.7p1 release because that's the code I was 
using.  If it's doesn't incorporate well into whatever you are working 
on now, let me know, and I'll try to get something from your CVS 
repositories and diff against that.  (I don't think, however, that the 
readpassphrase portion of the code is changing much these days.)

There is one major test which I have been unable to perform: I haven't 
checked to see what happens if you don't have access to a GUI for the 
"unlock keychain prompt" which OS X throws up (i.e. you are logging in 
to an OS X server, and ssh-ing from there).  If someone could try that 
and tell me what the patch does, I'd be really grateful.  Thanks!

Will


-----------------------------------------------------------

diff -u my_openssh-3.7p1/configure.ac openssh-3.7p1/configure.ac
--- my_openssh-3.7p1/configure.ac	Thu Dec 18 09:46:05 2003
+++ openssh-3.7p1/configure.ac	Mon Sep 15 22:48:15 2003
@@ -131,26 +131,7 @@
  }], [AC_MSG_RESULT(working)],
  	[AC_MSG_RESULT(buggy)
  	AC_DEFINE(BROKEN_GETADDRINFO)],
-	[AC_MSG_RESULT(assume it is working)])
-# Check for the Security framework headers that we'll need;
-# if present, then define USE_KEYCHAIN
-	AC_ARG_WITH([[keychain]],[AC_HELP_STRING([[--without-keychain]],[do 
not store passwords in Mac OS X Keychain])],
-	[],
-	[AC_MSG_CHECKING([[for Keychain Services]])
-	OLD_LIBS="$LIBS"
-	LIBS="$LIBS -framework Security"
-	AC_LINK_IFELSE([[#include <Security/Security.h>
-	int main()
-	{
-		UInt32 version;
-		SecKeychainGetVersion(&version);
-		return 0;
-	}]],
-	[AC_DEFINE([USE_KEYCHAIN],[],
-	[Store user passwords in the Mac OS X Keychain])
-	AC_MSG_RESULT([[yes]])],
-	[LIBS="$OLD_LIBS"
-	AC_MSG_RESULT([[no]])])])
+	[AC_MSG_RESULT(assume it is working)])
  	;;
  *-*-hpux10.26)
  	if test -z "$GCC"; then
diff -u my_openssh-3.7p1/readpass.c openssh-3.7p1/readpass.c
--- my_openssh-3.7p1/readpass.c	Fri Dec 19 09:46:44 2003
+++ openssh-3.7p1/readpass.c	Thu Jan 23 16:36:23 2003
@@ -99,7 +99,7 @@
  char *
  read_passphrase(const char *prompt, int flags)
  {
-	char *askpass = NULL, *ret, buf[1024], response;
+	char *askpass = NULL, *ret, buf[1024];
  	int rppflags, use_askpass = 0, ttyfd;

  	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
@@ -126,60 +126,13 @@
  		return ret;
  	}

-	/* Before reading the passphrase from the user, find it in the
-	   keychain. */
-#ifdef USE_KEYCHAIN
-        if (get_passphrase_from_keychain(prompt, buf, sizeof buf) == 
0) {
-	  /* We got the password; do nothing now that it's in buf */
-	} else {
-#endif /* USE_KEYCHAIN */
-	  if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
-	    if (flags & RP_ALLOW_EOF)
-	      return NULL;
-	    return xstrdup("");
-	  }
-#ifdef USE_KEYCHAIN
-	
-	  fprintf(stderr, "Would you like to store this password in your 
keychain (y/n)?\n");
-	  response = fgetc(stdin);
-	  if (response == 'y' || response == 'Y') {
-	    store_passphrase_on_keychain(prompt, buf);
-	  }
+	if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
+		if (flags & RP_ALLOW_EOF)
+			return NULL;
+		return xstrdup("");
  	}
-#endif /* USE_KEYCHAIN */

  	ret = xstrdup(buf);
  	memset(buf, 'x', sizeof buf);
  	return ret;
  }
-
-#ifdef USE_KEYCHAIN
-
-int get_passphrase_from_keychain(const char *prompt, char buf[], 
size_t size)
-{
-  void *password_data;
-  UInt32 password_length;
-
-  if (SecKeychainFindGenericPassword(NULL, strlen(prompt), prompt, 
strlen(prompt), prompt, &password_length, &password_data, NULL) == 
noErr) {
-    /* Then we got the password from the Keychain */
-    fprintf(stderr, "%s found in Keychain.", prompt);
-    strncpy(buf, (char *)password_data, (size < password_length+1 ? 
size : password_length + 1));
-    memset(password_data, 'x', password_length);
-    SecKeychainItemFreeContent(NULL, password_data);
-    return 0; /* Success */
-  } else {
-    return -1; /* Couldn't get anything from the keychain */
-  }
-}
-
-int store_passphrase_on_keychain(const char *prompt, const char buf[])
-{
-  if (SecKeychainAddGenericPassword(NULL, strlen(prompt), prompt, 
strlen(prompt), prompt, strlen(buf), (void *)buf, NULL) == noErr) {
-    return 0;
-  } else {
-    return -1;
-  }
-}
-
-
-#endif /* USE_KEYCHAIN */
diff -u my_openssh-3.7p1/readpass.h openssh-3.7p1/readpass.h
--- my_openssh-3.7p1/readpass.h	Thu Dec 18 11:28:29 2003
+++ openssh-3.7p1/readpass.h	Wed Mar 27 09:28:47 2002
@@ -17,18 +17,3 @@
  #define RP_ALLOW_EOF		0x0004

  char	*read_passphrase(const char *, int);
-
-/* These functions use the keychain in Mac OS X to retrieve and store
-   passwords. */
-#ifdef USE_KEYCHAIN
-
-#include<Security/Security.h>
-#include<stdio.h>
-
-/* Both return 0 on success */
-int get_passphrase_from_keychain(const char *prompt, char buf[], 
size_t size);
-int store_passphrase_on_keychain(const char *prompt, const char buf[]);
-
-
-/* ifdef USE_KEYCHAIN */
-#endif

More information about the openssh-unix-dev mailing list