Keychain Patch Try II

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Jan 8 19:06:13 EST 2004


Out of interst are you really wanting something like:

http://www.dreamflow.nl/projects/sshkeychain/

???

I've not tried it yet (heck, only had my Powerbook for one evening),
but it sounds like what you want and it does it by hooking into
the ssh-agent/ssh-add/etc features of OpenSSH.

- Ben

On Mon, 5 Jan 2004, Will M. Farr wrote:

> Sorry; here's the message I sent with the Keychain Patch yesterday.  I
> didn't realize that the list wouldn't extract the text parts of the
> message.  Enjoy.
>
>
>
> Hey all,
>
> Here's the patch to let SSH store passwords in the Mac OS X Keychain.
> I don't know whether you guys want to include it or not with the
> distribution; some people have said that since Keychain is not an open
> source product, it's not proper to put it in, while others think it's
> OK.  I'll leave it up to you; it's served its purpose to me.
>
> The patch is against the 3.7p1 release because that's the code I was
> using.  If it's doesn't incorporate well into whatever you are working
> on now, let me know, and I'll try to get something from your CVS
> repositories and diff against that.  (I don't think, however, that the
> readpassphrase portion of the code is changing much these days.)
>
> There is one major test which I have been unable to perform: I haven't
> checked to see what happens if you don't have access to a GUI for the
> "unlock keychain prompt" which OS X throws up (i.e. you are logging in
> to an OS X server, and ssh-ing from there).  If someone could try that
> and tell me what the patch does, I'd be really grateful.  Thanks!
>
> Will
>
>
> -----------------------------------------------------------
>
> diff -u my_openssh-3.7p1/configure.ac openssh-3.7p1/configure.ac
> --- my_openssh-3.7p1/configure.ac	Thu Dec 18 09:46:05 2003
> +++ openssh-3.7p1/configure.ac	Mon Sep 15 22:48:15 2003
> @@ -131,26 +131,7 @@
>   }], [AC_MSG_RESULT(working)],
>   	[AC_MSG_RESULT(buggy)
>   	AC_DEFINE(BROKEN_GETADDRINFO)],
> -	[AC_MSG_RESULT(assume it is working)])
> -# Check for the Security framework headers that we'll need;
> -# if present, then define USE_KEYCHAIN
> -	AC_ARG_WITH([[keychain]],[AC_HELP_STRING([[--without-keychain]],[do
> not store passwords in Mac OS X Keychain])],
> -	[],
> -	[AC_MSG_CHECKING([[for Keychain Services]])
> -	OLD_LIBS="$LIBS"
> -	LIBS="$LIBS -framework Security"
> -	AC_LINK_IFELSE([[#include <Security/Security.h>
> -	int main()
> -	{
> -		UInt32 version;
> -		SecKeychainGetVersion(&version);
> -		return 0;
> -	}]],
> -	[AC_DEFINE([USE_KEYCHAIN],[],
> -	[Store user passwords in the Mac OS X Keychain])
> -	AC_MSG_RESULT([[yes]])],
> -	[LIBS="$OLD_LIBS"
> -	AC_MSG_RESULT([[no]])])])
> +	[AC_MSG_RESULT(assume it is working)])
>   	;;
>   *-*-hpux10.26)
>   	if test -z "$GCC"; then
> diff -u my_openssh-3.7p1/readpass.c openssh-3.7p1/readpass.c
> --- my_openssh-3.7p1/readpass.c	Fri Dec 19 09:46:44 2003
> +++ openssh-3.7p1/readpass.c	Thu Jan 23 16:36:23 2003
> @@ -99,7 +99,7 @@
>   char *
>   read_passphrase(const char *prompt, int flags)
>   {
> -	char *askpass = NULL, *ret, buf[1024], response;
> +	char *askpass = NULL, *ret, buf[1024];
>   	int rppflags, use_askpass = 0, ttyfd;
>
>   	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
> @@ -126,60 +126,13 @@
>   		return ret;
>   	}
>
> -	/* Before reading the passphrase from the user, find it in the
> -	   keychain. */
> -#ifdef USE_KEYCHAIN
> -        if (get_passphrase_from_keychain(prompt, buf, sizeof buf) ==
> 0) {
> -	  /* We got the password; do nothing now that it's in buf */
> -	} else {
> -#endif /* USE_KEYCHAIN */
> -	  if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
> -	    if (flags & RP_ALLOW_EOF)
> -	      return NULL;
> -	    return xstrdup("");
> -	  }
> -#ifdef USE_KEYCHAIN
> -
> -	  fprintf(stderr, "Would you like to store this password in your
> keychain (y/n)?\n");
> -	  response = fgetc(stdin);
> -	  if (response == 'y' || response == 'Y') {
> -	    store_passphrase_on_keychain(prompt, buf);
> -	  }
> +	if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
> +		if (flags & RP_ALLOW_EOF)
> +			return NULL;
> +		return xstrdup("");
>   	}
> -#endif /* USE_KEYCHAIN */
>
>   	ret = xstrdup(buf);
>   	memset(buf, 'x', sizeof buf);
>   	return ret;
>   }
> -
> -#ifdef USE_KEYCHAIN
> -
> -int get_passphrase_from_keychain(const char *prompt, char buf[],
> size_t size)
> -{
> -  void *password_data;
> -  UInt32 password_length;
> -
> -  if (SecKeychainFindGenericPassword(NULL, strlen(prompt), prompt,
> strlen(prompt), prompt, &password_length, &password_data, NULL) ==
> noErr) {
> -    /* Then we got the password from the Keychain */
> -    fprintf(stderr, "%s found in Keychain.", prompt);
> -    strncpy(buf, (char *)password_data, (size < password_length+1 ?
> size : password_length + 1));
> -    memset(password_data, 'x', password_length);
> -    SecKeychainItemFreeContent(NULL, password_data);
> -    return 0; /* Success */
> -  } else {
> -    return -1; /* Couldn't get anything from the keychain */
> -  }
> -}
> -
> -int store_passphrase_on_keychain(const char *prompt, const char buf[])
> -{
> -  if (SecKeychainAddGenericPassword(NULL, strlen(prompt), prompt,
> strlen(prompt), prompt, strlen(buf), (void *)buf, NULL) == noErr) {
> -    return 0;
> -  } else {
> -    return -1;
> -  }
> -}
> -
> -
> -#endif /* USE_KEYCHAIN */
> diff -u my_openssh-3.7p1/readpass.h openssh-3.7p1/readpass.h
> --- my_openssh-3.7p1/readpass.h	Thu Dec 18 11:28:29 2003
> +++ openssh-3.7p1/readpass.h	Wed Mar 27 09:28:47 2002
> @@ -17,18 +17,3 @@
>   #define RP_ALLOW_EOF		0x0004
>
>   char	*read_passphrase(const char *, int);
> -
> -/* These functions use the keychain in Mac OS X to retrieve and store
> -   passwords. */
> -#ifdef USE_KEYCHAIN
> -
> -#include<Security/Security.h>
> -#include<stdio.h>
> -
> -/* Both return 0 on success */
> -int get_passphrase_from_keychain(const char *prompt, char buf[],
> size_t size);
> -int store_passphrase_on_keychain(const char *prompt, const char buf[]);
> -
> -
> -/* ifdef USE_KEYCHAIN */
> -#endif
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list