Bug 356451

Summary: allow ssh to easily load nss modules
Product: [Fedora] Fedora Reporter: Pierre Ossman <pierre-bugzilla>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: ossman, triage
Target Milestone: ---Keywords: FutureFeature, Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-09 13:35:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 537411    
Attachments:
Description Flags
nssmodule.patch
none
updated patch none

Description Pierre Ossman 2007-10-29 14:07:34 UTC 
It would be nice if ssh could easily load extra PKCS#11 modules for use when
authenticating. Currently you have to fiddle with modutil to add modules.

Attached file adds a new option NSSModule which can be specified several times
to add modules. The patch also modifies ssh so that it can start without a NSS
database in ~/.ssh.

(I sent you a mail about this some time ago, but I didn't get a reply so I'm
trying adding a bug instead).
Comment 1 Pierre Ossman 2007-10-29 14:07:34 UTC 
Created attachment 241861 [details]
nssmodule.patch
Comment 2 Tomas Mraz 2007-10-29 14:43:48 UTC 
(In reply to comment #0)
> It would be nice if ssh could easily load extra PKCS#11 modules for use when
> authenticating. Currently you have to fiddle with modutil to add modules.
> 
> Attached file adds a new option NSSModule which can be specified several times
> to add modules. The patch also modifies ssh so that it can start without a NSS
> database in ~/.ssh.

Seems useful. I'll merge it with the existing nss patch.
 
> (I sent you a mail about this some time ago, but I didn't get a reply so I'm
> trying adding a bug instead).

I can't find the mail, it must have got lost somehow.
Comment 3 Pierre Ossman 2007-10-29 18:46:10 UTC 
(In reply to comment #2)
> 
> I can't find the mail, it must have got lost somehow.
> 

I've resent it to you. Please ping me if it still doesn't show up.
Comment 4 Bug Zapper 2008-04-04 14:19:44 UTC 
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 5 Fedora Admin XMLRPC Client 2009-03-10 09:20:47 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2009-03-10 10:17:52 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin XMLRPC Client 2009-03-10 10:19:46 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Pierre Ossman 2009-09-09 09:15:41 UTC 
Ping! I sent a reply to the message about testing, but as the bug is still open I'm not sure if it got through. The patched rpm worked fine, so please add this patch to the stable package.
Comment 9 Pierre Ossman 2009-11-06 14:47:19 UTC 
Reping. Is anyone keeping track of these bugs?
Comment 10 Pierre Ossman 2009-11-13 14:52:53 UTC 
Created attachment 369436 [details]
updated patch

Updated patch that makes sure everything compiles without warnings or errors.
Comment 11 Jan F. Chadima 2009-11-24 14:19:43 UTC 
The patch is applied in openssh-5.3p1-10.fc13, can you test it, please.
Comment 12 Pierre Ossman 2009-11-24 15:00:29 UTC 
Works like a charm.
Comment 13 Jan F. Chadima 2010-03-09 13:35:39 UTC 
This functionality will be discontinued due to massive upstrem changes in the key handling. There is now pkcs11 support by Alon Bar Lev instead.
Comment 14 Pierre Ossman 2010-03-09 20:43:18 UTC 
Does this mean that Red Hat is abandoning the conversion to NSS? Doesn't seem sane to have two systems in place for smart card integration.
Comment 15 Jan F. Chadima 2010-03-10 04:55:53 UTC 
It means that the api changed in openssh 5.4 and until the new patch will be done there is no chance to use nss with openssh. There is a new api based on ssh-agent. If you have time to write it, I'll be pleased to add it to the package. I'm sorry but in the next month or two I have no time to develop it.
Comment 16 Pierre Ossman 2010-03-11 09:24:43 UTC 
So this is just a temporary removal, caused by lack of resources? The reason I'm asking is that we hopped on the NSS bandwagon with the hope that there could be some exchange between us and Red Hat for the smart card work.

I'm afraid we don't have any resources in the short term to fix the NSS patch, but I will add an internal bug for it and we might end up doing the work first.
Comment 17 Jan F. Chadima 2010-03-11 11:25:35 UTC 
(In reply to comment #16)
> So this is just a temporary removal, caused by lack of resources?

Yes

 The reason
> I'm asking is that we hopped on the NSS bandwagon with the hope that there
> could be some exchange between us and Red Hat for the smart card work.
> 
> I'm afraid we don't have any resources in the short term to fix the NSS patch,
> but I will add an internal bug for it and we might end up doing the work first.    
Thanks