search for: clear_pass

Hello, With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set up a script for SSH_ASKPASS to query my local passwordstore (https://www.passwordstore.org/) vault to retrieve the password for a given key. This works for ssh-add as well as ssh (configured with AddKeysToAgent set to 'yes'). My workflow effectively transforms into entering the password for the GPG key used

...(comment == NULL) comment = xstrdup(filename); /* try last */ if (private == NULL && pass != NULL) - private = key_load_private(filename, pass, NULL); + private = key_load_private(filename, pass, NULL, 0); if (private == NULL) { /* clear passphrase since it did not work */ clear_pass(); @@ -160,7 +160,8 @@ xfree(comment); return -1; } - private = key_load_private(filename, pass, &comment); + private = key_load_private(filename, pass, + &comment, 0); if (private != NULL) break; clear_pass(); --- ssh-keygen.c.orig Thu Nov 27 18:15:47 2...

.../cvs/openssh/ssh-add.c,v retrieving revision 1.71 diff -u -r1.71 ssh-add.c --- ssh-add.c 10 Mar 2003 00:21:18 -0000 1.71 +++ ssh-add.c 27 Mar 2003 04:36:59 -0000 @@ -164,7 +164,8 @@ if (private != NULL) break; clear_pass(); - strlcpy(msg, "Bad passphrase, try again: ", sizeof msg); + snprintf(msg, sizeof msg, "Bad passphrase, try again for %.200s: ", + comment); } } ------- You are receiving this mail...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...()); - ssh_close_authentication_connection(ac); - exit(1); - } - snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_CLIENT_IDENTITY); - if (deleting) - delete_file(ac, buf); - else - add_file(ac, buf); - } + if (no_files) + add_default_identities(ac, deleting); + clear_pass(); ssh_close_authentication_connection(ac); exit(0); walters at space-ghost:/usr/src/ssh/openssh-2.9p2$ cd /usr/src/ssh/openssh-2.9p2/ diff -u /usr/src/ssh/openssh-2.9p2/ssh-add.1\~ /usr/src/ssh/openssh-2.9p2/ssh-add.1 --- /usr/src/ssh/openssh-2.9p2/ssh-add.1~ Wed Apr 11 11:59:36 2001 +++ /us...

...27 +#define SSH_AGENTC_ADD_ENGINE_KEY_CONSTRAINED 28 + #define SSH_AGENT_CONSTRAIN_LIFETIME 1 #define SSH_AGENT_CONSTRAIN_CONFIRM 2 #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 diff --git a/ssh-add.c b/ssh-add.c index f3b666c93..e988023a7 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -111,6 +111,29 @@ clear_pass(void) } } +static int +add_engine_key(int agent_fd, const char *file, const char *engine) +{ + int ret; + char *pin = NULL; + + ret = ssh_add_engine_key(agent_fd, file, engine, NULL, lifetime, confirm, maxsign); + if (ret == SSH_ERR_KEY_WRONG_PASSPHRASE) { + pin = read_passphrase("Enter...

....h" #include "pathnames.h" #include "misc.h" +#include "readconf.h" /* argv0 */ extern char *__progname; @@ -68,6 +69,11 @@ /* we keep a cache of one passphrases */ static char *pass = NULL; + +Options options; + +uid_t original_real_uid; + static void clear_pass(void) { @@ -311,12 +317,30 @@ AuthenticationConnection *ac = NULL; char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; + char buf[256]; + struct passwd *pw; __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); SSLeay_add_all_algorithms(); + + /* Read options *...

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

...with in-kernel keys\n"); + ret = 1; + goto done; + } else if (inkernel && confirm) { + fprintf(stderr, "Cannot use confirmation with in-kernel keys\n"); + ret = 1; + goto done; + } + argc -= optind; argv += optind; if (sc_reader_id != NULL) { @@ -410,6 +640,7 @@ clear_pass(); done: + if (ac != NULL) ssh_close_authentication_connection(ac); return ret; } diff -ubr -x configure openssh-4.1p1/ssh.c openssh-4.1p1-hacked/ssh.c --- openssh-4.1p1/ssh.c 2005-05-04 07:33:09.000000000 +0200 +++ openssh-4.1p1-hacked/ssh.c 2005-07-25 23:29:10.000000000 +0200 @@ -73,6 +73...