This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 356451 - allow ssh to easily load nss modules
allow ssh to easily load nss modules
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
bzcl34nup
: FutureFeature, Patch
Depends On:
Blocks: 537411
  Show dependency treegraph
 
Reported: 2007-10-29 10:07 EDT by Pierre Ossman
Modified: 2010-03-11 06:25 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-09 08:35:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
nssmodule.patch (5.44 KB, patch)
2007-10-29 10:07 EDT, Pierre Ossman
no flags Details | Diff
updated patch (7.22 KB, patch)
2009-11-13 09:52 EST, Pierre Ossman
no flags Details | Diff

  None (edit)
Description Pierre Ossman 2007-10-29 10:07:34 EDT
It would be nice if ssh could easily load extra PKCS#11 modules for use when
authenticating. Currently you have to fiddle with modutil to add modules.

Attached file adds a new option NSSModule which can be specified several times
to add modules. The patch also modifies ssh so that it can start without a NSS
database in ~/.ssh.

(I sent you a mail about this some time ago, but I didn't get a reply so I'm
trying adding a bug instead).
Comment 1 Pierre Ossman 2007-10-29 10:07:34 EDT
Created attachment 241861 [details]
nssmodule.patch
Comment 2 Tomas Mraz 2007-10-29 10:43:48 EDT
(In reply to comment #0)
> It would be nice if ssh could easily load extra PKCS#11 modules for use when
> authenticating. Currently you have to fiddle with modutil to add modules.
> 
> Attached file adds a new option NSSModule which can be specified several times
> to add modules. The patch also modifies ssh so that it can start without a NSS
> database in ~/.ssh.

Seems useful. I'll merge it with the existing nss patch.
 
> (I sent you a mail about this some time ago, but I didn't get a reply so I'm
> trying adding a bug instead).

I can't find the mail, it must have got lost somehow.
Comment 3 Pierre Ossman 2007-10-29 14:46:10 EDT
(In reply to comment #2)
> 
> I can't find the mail, it must have got lost somehow.
> 

I've resent it to you. Please ping me if it still doesn't show up.
Comment 4 Bug Zapper 2008-04-04 10:19:44 EDT
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 5 Fedora Admin XMLRPC Client 2009-03-10 05:20:47 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2009-03-10 06:17:52 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin XMLRPC Client 2009-03-10 06:19:46 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Pierre Ossman 2009-09-09 05:15:41 EDT
Ping! I sent a reply to the message about testing, but as the bug is still open I'm not sure if it got through. The patched rpm worked fine, so please add this patch to the stable package.
Comment 9 Pierre Ossman 2009-11-06 09:47:19 EST
Reping. Is anyone keeping track of these bugs?
Comment 10 Pierre Ossman 2009-11-13 09:52:53 EST
Created attachment 369436 [details]
updated patch

Updated patch that makes sure everything compiles without warnings or errors.
Comment 11 Jan F. Chadima 2009-11-24 09:19:43 EST
The patch is applied in openssh-5.3p1-10.fc13, can you test it, please.
Comment 12 Pierre Ossman 2009-11-24 10:00:29 EST
Works like a charm.
Comment 13 Jan F. Chadima 2010-03-09 08:35:39 EST
This functionality will be discontinued due to massive upstrem changes in the key handling. There is now pkcs11 support by Alon Bar Lev instead.
Comment 14 Pierre Ossman 2010-03-09 15:43:18 EST
Does this mean that Red Hat is abandoning the conversion to NSS? Doesn't seem sane to have two systems in place for smart card integration.
Comment 15 Jan F. Chadima 2010-03-09 23:55:53 EST
It means that the api changed in openssh 5.4 and until the new patch will be done there is no chance to use nss with openssh. There is a new api based on ssh-agent. If you have time to write it, I'll be pleased to add it to the package. I'm sorry but in the next month or two I have no time to develop it.
Comment 16 Pierre Ossman 2010-03-11 04:24:43 EST
So this is just a temporary removal, caused by lack of resources? The reason I'm asking is that we hopped on the NSS bandwagon with the hope that there could be some exchange between us and Red Hat for the smart card work.

I'm afraid we don't have any resources in the short term to fix the NSS patch, but I will add an internal bug for it and we might end up doing the work first.
Comment 17 Jan F. Chadima 2010-03-11 06:25:35 EST
(In reply to comment #16)
> So this is just a temporary removal, caused by lack of resources?

Yes

 The reason
> I'm asking is that we hopped on the NSS bandwagon with the hope that there
> could be some exchange between us and Red Hat for the smart card work.
> 
> I'm afraid we don't have any resources in the short term to fix the NSS patch,
> but I will add an internal bug for it and we might end up doing the work first.    
Thanks

Note You need to log in before you can comment on or make changes to this bug.