Keychain Patch Try II
Ben Lindstrom
mouring at etoh.eviladmin.org
Thu Jan 8 19:06:13 EST 2004
Out of interst are you really wanting something like:
http://www.dreamflow.nl/projects/sshkeychain/
???
I've not tried it yet (heck, only had my Powerbook for one evening),
but it sounds like what you want and it does it by hooking into
the ssh-agent/ssh-add/etc features of OpenSSH.
- Ben
On Mon, 5 Jan 2004, Will M. Farr wrote:
> Sorry; here's the message I sent with the Keychain Patch yesterday. I
> didn't realize that the list wouldn't extract the text parts of the
> message. Enjoy.
>
>
>
> Hey all,
>
> Here's the patch to let SSH store passwords in the Mac OS X Keychain.
> I don't know whether you guys want to include it or not with the
> distribution; some people have said that since Keychain is not an open
> source product, it's not proper to put it in, while others think it's
> OK. I'll leave it up to you; it's served its purpose to me.
>
> The patch is against the 3.7p1 release because that's the code I was
> using. If it's doesn't incorporate well into whatever you are working
> on now, let me know, and I'll try to get something from your CVS
> repositories and diff against that. (I don't think, however, that the
> readpassphrase portion of the code is changing much these days.)
>
> There is one major test which I have been unable to perform: I haven't
> checked to see what happens if you don't have access to a GUI for the
> "unlock keychain prompt" which OS X throws up (i.e. you are logging in
> to an OS X server, and ssh-ing from there). If someone could try that
> and tell me what the patch does, I'd be really grateful. Thanks!
>
> Will
>
>
> -----------------------------------------------------------
>
> diff -u my_openssh-3.7p1/configure.ac openssh-3.7p1/configure.ac
> --- my_openssh-3.7p1/configure.ac Thu Dec 18 09:46:05 2003
> +++ openssh-3.7p1/configure.ac Mon Sep 15 22:48:15 2003
> @@ -131,26 +131,7 @@
> }], [AC_MSG_RESULT(working)],
> [AC_MSG_RESULT(buggy)
> AC_DEFINE(BROKEN_GETADDRINFO)],
> - [AC_MSG_RESULT(assume it is working)])
> -# Check for the Security framework headers that we'll need;
> -# if present, then define USE_KEYCHAIN
> - AC_ARG_WITH([[keychain]],[AC_HELP_STRING([[--without-keychain]],[do
> not store passwords in Mac OS X Keychain])],
> - [],
> - [AC_MSG_CHECKING([[for Keychain Services]])
> - OLD_LIBS="$LIBS"
> - LIBS="$LIBS -framework Security"
> - AC_LINK_IFELSE([[#include <Security/Security.h>
> - int main()
> - {
> - UInt32 version;
> - SecKeychainGetVersion(&version);
> - return 0;
> - }]],
> - [AC_DEFINE([USE_KEYCHAIN],[],
> - [Store user passwords in the Mac OS X Keychain])
> - AC_MSG_RESULT([[yes]])],
> - [LIBS="$OLD_LIBS"
> - AC_MSG_RESULT([[no]])])])
> + [AC_MSG_RESULT(assume it is working)])
> ;;
> *-*-hpux10.26)
> if test -z "$GCC"; then
> diff -u my_openssh-3.7p1/readpass.c openssh-3.7p1/readpass.c
> --- my_openssh-3.7p1/readpass.c Fri Dec 19 09:46:44 2003
> +++ openssh-3.7p1/readpass.c Thu Jan 23 16:36:23 2003
> @@ -99,7 +99,7 @@
> char *
> read_passphrase(const char *prompt, int flags)
> {
> - char *askpass = NULL, *ret, buf[1024], response;
> + char *askpass = NULL, *ret, buf[1024];
> int rppflags, use_askpass = 0, ttyfd;
>
> rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
> @@ -126,60 +126,13 @@
> return ret;
> }
>
> - /* Before reading the passphrase from the user, find it in the
> - keychain. */
> -#ifdef USE_KEYCHAIN
> - if (get_passphrase_from_keychain(prompt, buf, sizeof buf) ==
> 0) {
> - /* We got the password; do nothing now that it's in buf */
> - } else {
> -#endif /* USE_KEYCHAIN */
> - if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
> - if (flags & RP_ALLOW_EOF)
> - return NULL;
> - return xstrdup("");
> - }
> -#ifdef USE_KEYCHAIN
> -
> - fprintf(stderr, "Would you like to store this password in your
> keychain (y/n)?\n");
> - response = fgetc(stdin);
> - if (response == 'y' || response == 'Y') {
> - store_passphrase_on_keychain(prompt, buf);
> - }
> + if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
> + if (flags & RP_ALLOW_EOF)
> + return NULL;
> + return xstrdup("");
> }
> -#endif /* USE_KEYCHAIN */
>
> ret = xstrdup(buf);
> memset(buf, 'x', sizeof buf);
> return ret;
> }
> -
> -#ifdef USE_KEYCHAIN
> -
> -int get_passphrase_from_keychain(const char *prompt, char buf[],
> size_t size)
> -{
> - void *password_data;
> - UInt32 password_length;
> -
> - if (SecKeychainFindGenericPassword(NULL, strlen(prompt), prompt,
> strlen(prompt), prompt, &password_length, &password_data, NULL) ==
> noErr) {
> - /* Then we got the password from the Keychain */
> - fprintf(stderr, "%s found in Keychain.", prompt);
> - strncpy(buf, (char *)password_data, (size < password_length+1 ?
> size : password_length + 1));
> - memset(password_data, 'x', password_length);
> - SecKeychainItemFreeContent(NULL, password_data);
> - return 0; /* Success */
> - } else {
> - return -1; /* Couldn't get anything from the keychain */
> - }
> -}
> -
> -int store_passphrase_on_keychain(const char *prompt, const char buf[])
> -{
> - if (SecKeychainAddGenericPassword(NULL, strlen(prompt), prompt,
> strlen(prompt), prompt, strlen(buf), (void *)buf, NULL) == noErr) {
> - return 0;
> - } else {
> - return -1;
> - }
> -}
> -
> -
> -#endif /* USE_KEYCHAIN */
> diff -u my_openssh-3.7p1/readpass.h openssh-3.7p1/readpass.h
> --- my_openssh-3.7p1/readpass.h Thu Dec 18 11:28:29 2003
> +++ openssh-3.7p1/readpass.h Wed Mar 27 09:28:47 2002
> @@ -17,18 +17,3 @@
> #define RP_ALLOW_EOF 0x0004
>
> char *read_passphrase(const char *, int);
> -
> -/* These functions use the keychain in Mac OS X to retrieve and store
> - passwords. */
> -#ifdef USE_KEYCHAIN
> -
> -#include<Security/Security.h>
> -#include<stdio.h>
> -
> -/* Both return 0 on success */
> -int get_passphrase_from_keychain(const char *prompt, char buf[],
> size_t size);
> -int store_passphrase_on_keychain(const char *prompt, const char buf[]);
> -
> -
> -/* ifdef USE_KEYCHAIN */
> -#endif
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list