ssh-agent-sierra-patch.txt

--- Makefile.in.orig
+++ Makefile.in
@@ -42,7 +42,10 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \

 CC=@CC@
 LD=@LD@
-CFLAGS=@CFLAGS@
+CFLAGS=@CFLAGS@ \
+   -D__APPLE__ \
+   -D__APPLE_KEYCHAIN__ \
+   -D__APPLE_LAUNCHD__
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 K5LIBS=@K5LIBS@
@@ -58,7 +61,12 @@ PERL=@PERL@
 SED=@SED@
 ENT=@ENT@
 XAUTH_PATH=@XAUTH_PATH@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
+LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ \
+   -framework Foundation \
+   -framework CoreFoundation \
+   -framework Kerberos \
+   -framework OpenDirectory \
+   -framework Security
 EXEEXT=@EXEEXT@
 MANFMT=@MANFMT@

@@ -95,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
    platform-pledge.o platform-tracing.o

 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-   sshconnect.o sshconnect1.o sshconnect2.o mux.o
+   sshconnect.o sshconnect1.o keychain.o sshconnect2.o mux.o

 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
    audit.o audit-bsm.o audit-linux.o platform.o \
@@ -169,11 +177,11 @@ sshd$(EXEEXT): libssh.a   $(LIBCOMPAT) $(S
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
    $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-   $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o keychain.o
+   $(LD) -o $@ ssh-add.o keychain.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-   $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-agent-notify.o ssh-pkcs11-client.o
+   $(LD) -o $@ ssh-agent.o ssh-agent-notify.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
    $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- /dev/null
+++ ssh-agent-notify.h
@@ -0,0 +1,6 @@
+#ifndef _SSH_AGENT_NOTIFY_H_
+#define _SSH_AGENT_NOTIFY_H_
+
+void notify_user_macos(char *key, char *comment);
+
+#endif /* _SSH_AGENT_NOTIFY_H */
--- /dev/null
+++ ssh-agent-notify.m
@@ -0,0 +1,69 @@
+#import <Foundation/Foundation.h>
+#import <Foundation/NSUserNotification.h>
+#import <objc/runtime.h>
+#import "ssh-agent-notify.h"
+
+@implementation NSBundle(sshagent)
+- (NSString *)__bundleIdentifier
+{
+   return (self == [NSBundle mainBundle] ? @"com.apple.keychainaccess" :
+       [self __bundleIdentifier]);
+}
+@end
+
+BOOL
+installNSBundleHook()
+{
+   Class class = objc_getClass("NSBundle");
+   if (class) {
+       method_exchangeImplementations(
+         class_getInstanceMethod(class, @selector(bundleIdentifier)),
+         class_getInstanceMethod(class, @selector(__bundleIdentifier))
+       );
+       return YES;
+   }
+   return NO;
+}
+
+#pragma mark - NotificationCenterDelegate
+
+@interface NotificationCenterDelegate:NSObject<NSUserNotificationCenterDelegate>
+@property (nonatomic, assign) BOOL keepRunning;
+@end
+
+@implementation NotificationCenterDelegate
+- (void)userNotificationCenter:(NSUserNotificationCenter *)center
+    didDeliverNotification:(NSUserNotification *)notification
+{
+   self.keepRunning = NO;
+}
+@end
+
+#pragma mark -
+
+void
+notify_user_macos(char *key, char *comment)
+{
+   @autoreleasepool
+   {
+       if (!installNSBundleHook()) return;
+
+       NSUserNotificationCenter *center =
+           [NSUserNotificationCenter defaultUserNotificationCenter];
+       NotificationCenterDelegate *ncDelegate =
+           [[NotificationCenterDelegate alloc] init];
+       ncDelegate.keepRunning = YES;
+       center.delegate = ncDelegate;
+
+       NSUserNotification *notification =
+           [[NSUserNotification alloc] init];
+       [notification setTitle:
+           @"Key challenge signed for fingerprint"];
+       [notification setSubtitle:
+           [NSString stringWithUTF8String:key]];
+       [notification setInformativeText:
+           [NSString stringWithUTF8String:comment]];
+       [notification setSoundName:@"Submarine"];
+       [center scheduleNotification:notification];
+   }
+}
--- ssh-agent.c
+++ ssh-agent.c
@@ -95,6 +95,8 @@
 # define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
 #endif

+#include "ssh-agent-notify.h"
+
 typedef enum {
    AUTH_UNUSED,
    AUTH_SOCKET,
@@ -161,6 +163,18 @@ static long lifetime = 0;
 static int fingerprint_hash = SSH_FP_HASH_DEFAULT;

 static void
+notify_user(struct identity *id)
+{
+   char *p;
+
+   p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
+   debug("notifying key challenge signed for fingerprint %s path %s", p,
+       id->comment);
+   notify_user_macos(p, id->comment);
+   free(p);
+}
+
+static void
 close_socket(SocketEntry *e)
 {
    close(e->fd);
@@ -358,6 +372,9 @@ process_authentication_challenge1(Socket
        if ((r = sshbuf_put_u8(msg, SSH_AGENT_RSA_RESPONSE)) != 0 ||
            (r = sshbuf_put(msg, mdbuf, sizeof(mdbuf))) != 0)
            fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+       notify_user(id);
+
        goto send;
    }

@@ -431,6 +448,7 @@ process_sign_request2(SocketEntry *e)
        if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
            (r = sshbuf_put_string(msg, signature, slen)) != 0)
            fatal("%s: buffer error: %s", __func__, ssh_err(r));
+       if (id) notify_user(id);
    } else if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0)
        fatal("%s: buffer error: %s", __func__, ssh_err(r));