diff options
| author | Christophe Fergeau <cfergeau@redhat.com> | 2014-09-06 19:26:41 +0200 |
|---|---|---|
| committer | Christophe Fergeau <cfergeau@redhat.com> | 2015-05-20 17:21:13 +0200 |
| commit | b48c1806fbd3eaff3b0a99776b415353ded3203b (patch) | |
| tree | 435fcf3328a68bfe413b6a751b086935b6135cbd | |
| parent | bb67785b18a1e13909a0f0f708ceba6b32e28248 (diff) | |
ssh: Add support for GCR_UNLOCK_OPTION_*
This will automatically lock/remove keys which are unlocked through
op_sign_request()/op_add_identity/op_add_identity_v1 according to the
user preference described in dconf (ssh-cache-method/ssh-cache-ttl).
| -rw-r--r-- | daemon/ssh-agent/gkd-ssh-agent-ops.c | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/daemon/ssh-agent/gkd-ssh-agent-ops.c b/daemon/ssh-agent/gkd-ssh-agent-ops.c index c3aef2c2..e29b8bdb 100644 --- a/daemon/ssh-agent/gkd-ssh-agent-ops.c +++ b/daemon/ssh-agent/gkd-ssh-agent-ops.c @@ -26,6 +26,8 @@ #include <gck/gck.h> +#include <gcr/gcr-unlock-options.h> + #include "pkcs11/pkcs11.h" #include "pkcs11/pkcs11i.h" @@ -564,6 +566,34 @@ replace_key_pair (GckSession *session, } static gboolean +load_user_constraints (GckBuilder *builder) +{ + GSettings *settings; + gchar *method; + guint32 lifetime; + + settings = gkd_ssh_agent_settings (); + method = g_settings_get_string (settings, "ssh-cache-method"); + lifetime = g_settings_get_int (settings, "ssh-cache-ttl"); + + if (g_str_equal (method, GCR_UNLOCK_OPTION_IDLE)) { + gck_builder_add_ulong (builder, CKA_G_DESTRUCT_IDLE, lifetime); + } else if (g_str_equal (method, GCR_UNLOCK_OPTION_TIMEOUT)) { + gck_builder_add_ulong (builder, CKA_G_DESTRUCT_AFTER, lifetime); + } else if (g_str_equal (method, GCR_UNLOCK_OPTION_SESSION)) { + gck_builder_add_boolean (builder, CKA_G_DESTRUCT_SESSION_IDLE, TRUE); + } else { + g_message ("Unsupported ssh-cache-method setting: %s", method); + g_free (method); + + return FALSE; + } + g_free (method); + + return TRUE; +} + +static gboolean load_constraints (EggBuffer *buffer, gsize offset, gsize *next_offset, @@ -601,8 +631,12 @@ load_constraints (EggBuffer *buffer, return FALSE; } } - *next_offset = offset; + + /* Constraints can also be set by the user through gsettings */ + load_user_constraints (pub); + load_user_constraints (priv); + return TRUE; } @@ -969,6 +1003,7 @@ unlock_and_sign (GckSession *session, GckObject *key, gulong mech_type, const gu gck_builder_add_boolean (&builder, CKA_TOKEN, FALSE); gck_builder_add_empty (&builder, CKA_VALUE); gck_builder_add_ulong (&builder, CKA_G_OBJECT, gck_object_get_handle (key)); + load_user_constraints (&builder); cred = gck_session_create_object (session, gck_builder_end (&builder), NULL, err); |