diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c

--- openssh-5.3p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200

+++ openssh-5.3p1/authfd.c	2009-11-27 13:43:00.000000000 +0100

@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection

 	return decode_reply(type);

 }

+int

+ssh_update_nss_key(AuthenticationConnection *auth, int add,

+    const char *tokenname, const char *keyname,

+    const char *pass, u_int life, u_int confirm)

+{

+	Buffer msg;

+	int type, constrained = (life || confirm);

+

+	if (add) {

+		type = constrained ?

+		    SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED :

+		    SSH_AGENTC_ADD_NSS_KEY;

+	} else

+		type = SSH_AGENTC_REMOVE_NSS_KEY;

+

+	buffer_init(&msg;;

+	buffer_put_char(&msg, type);

+	buffer_put_cstring(&msg, tokenname);

+	buffer_put_cstring(&msg, keyname);

+	buffer_put_cstring(&msg, pass);

+

+	if (constrained) {

+		if (life != 0) {

+			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);

+			buffer_put_int(&msg, life);

+		}

+		if (confirm != 0)

+			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);

+	}

+

+	if (ssh_request_reply(auth, &msg, &msg) == 0) {

+		buffer_free(&msg;;

+		return 0;

+	}

+	type = buffer_get_char(&msg;;

+	buffer_free(&msg;;

+	return decode_reply(type);

+}

+

 /*

  * Removes all identities from the agent.  This call is not meant to be used

  * by normal applications.

diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h

--- openssh-5.3p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200

+++ openssh-5.3p1/authfd.h	2009-11-27 13:43:01.000000000 +0100

@@ -49,6 +49,12 @@

 #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25

 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26

+/* nss */

+#define SSH_AGENTC_ADD_NSS_KEY			30

+#define SSH_AGENTC_REMOVE_NSS_KEY		31

+#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED	32

+

+

 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1

 #define	SSH_AGENT_CONSTRAIN_CONFIRM		2

@@ -83,6 +89,8 @@ int	 ssh_remove_all_identities(Authentic

 int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);

 int	 ssh_update_card(AuthenticationConnection *, int, const char *,

     const char *, u_int, u_int);

+int	 ssh_update_nss_key(AuthenticationConnection *, int, const char *,

+    const char *, const char *, u_int, u_int);

 int

 ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],

diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac

--- openssh-5.3p1/configure.ac.nss-keys	2009-11-27 13:42:57.000000000 +0100

+++ openssh-5.3p1/configure.ac	2009-11-27 13:48:44.000000000 +0100

@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5,

 	]

 )

+# Check whether user wants NSS support

+LIBNSS_MSG="no"

+AC_ARG_WITH(nss,

+	[  --with-nss   Enable NSS support],

+	[ if test "x$withval" != "xno" ; then

+		AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])

+		LIBNSS_MSG="yes"

+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"

+		AC_CHECK_HEADERS(pk11pub.h)

+		LIBS="$LIBS -lnss3"

+		AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include <secerr.h>])

+	fi

+	])

+AC_SUBST(LIBNSS)

+

 # Looking for programs, paths and files

 PRIVSEP_PATH=/var/empty

@@ -4253,6 +4269,7 @@ echo "              TCP Wrappers support

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "  Solaris process contract support: $SPC_MSG"

+echo "                       NSS support: $LIBNSS_MSG"

 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"

 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"

 echo "                  BSD Auth support: $BSD_AUTH_MSG"

diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c

--- openssh-5.3p1/key.c.nss-keys	2008-11-03 09:24:17.000000000 +0100

+++ openssh-5.3p1/key.c	2009-11-27 13:43:01.000000000 +0100

@@ -96,6 +96,54 @@ key_new(int type)

 	return k;

 }

+#ifdef HAVE_LIBNSS

+Key *

+key_new_nss(int type)

+{

+	Key *k = key_new(type);

+

+	k->nss = xcalloc(1, sizeof(*k->nss));

+	k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS;

+

+	return k;

+}

+

+Key *

+key_new_nss_copy(int type, const Key *c)

+{

+	Key *k = key_new_nss(type);

+

+	switch (k->type) {

+		case KEY_RSA:

+			if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) ||

+				(BN_copy(k->rsa->e, c->rsa->e) == NULL))

+				fatal("key_new_nss_copy: BN_copy failed");

+			break;

+		case KEY_DSA:

+			if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) ||

+				(BN_copy(k->dsa->q, c->dsa->q) == NULL) ||

+				(BN_copy(k->dsa->g, c->dsa->g) == NULL) ||

+				(BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL))

+				fatal("key_new_nss_copy: BN_copy failed");

+			break;

+	}

+		

+	k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk);

+	if (k->nss->privk == NULL)

+		fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed");

+

+	k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk);

+	if (k->nss->pubk == NULL)

+		fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed");

+	

+	if (c->nss->privk->wincx)

+		k->nss->privk->wincx = xstrdup(c->nss->privk->wincx);

+

+	return k;

+}

+#endif

+

+

 Key *

 key_new_private(int type)

 {

@@ -151,6 +199,19 @@ key_free(Key *k)

 		fatal("key_free: bad key type %d", k->type);

 		break;

 	}

+#ifdef HAVE_LIBNSS

+	if (k->flags & KEY_FLAG_NSS) {

+		if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {

+			memset(k->nss->privk->wincx, 0,

+				strlen(k->nss->privk->wincx));

+			xfree(k->nss->privk->wincx);

+			k->nss->privk->wincx = NULL;

+		}

+		SECKEY_DestroyPrivateKey(k->nss->privk);

+		SECKEY_DestroyPublicKey(k->nss->pubk);

+		xfree(k->nss);

+	}

+#endif

 	xfree(k);

 }

diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h

--- openssh-5.3p1/key.h.nss-keys	2008-06-12 20:40:35.000000000 +0200

+++ openssh-5.3p1/key.h	2009-11-27 13:43:01.000000000 +0100

@@ -29,11 +29,17 @@

 #include <openssl/rsa.h>

 #include <openssl/dsa.h>

+#ifdef HAVE_LIBNSS

+#include <nss.h>

+#include <keyhi.h>

+#endif

+

 typedef struct Key Key;

 enum types {

 	KEY_RSA1,

 	KEY_RSA,

 	KEY_DSA,

+	KEY_NSS,

 	KEY_UNSPEC

 };

 enum fp_type {

@@ -48,16 +54,30 @@ enum fp_rep {

 /* key is stored in external hardware */

 #define KEY_FLAG_EXT		0x0001

+#define KEY_FLAG_NSS		0x0002

+

+#ifdef HAVE_LIBNSS

+typedef struct NSSKey NSSKey;

+struct NSSKey {

+	SECKEYPrivateKey *privk;

+	SECKEYPublicKey *pubk;

+};

+#endif

 struct Key {

 	int	 type;

 	int	 flags;

 	RSA	*rsa;

 	DSA	*dsa;

+#ifdef HAVE_LIBNSS

+	NSSKey  *nss;

+#endif

 };

 Key		*key_new(int);

 Key		*key_new_private(int);

+Key 		*key_new_nss(int);

+Key		*key_new_nss_copy(int, const Key *);

 void		 key_free(Key *);

 Key		*key_demote(const Key *);

 int		 key_equal(const Key *, const Key *);

diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in

--- openssh-5.3p1/Makefile.in.nss-keys	2009-08-28 02:47:38.000000000 +0200

+++ openssh-5.3p1/Makefile.in	2009-11-27 13:43:01.000000000 +0100

@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b

 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \

 	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \

-	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o

+	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o

 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \

 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \

diff -up /dev/null openssh-5.3p1/nsskeys.c

--- /dev/null	2009-11-27 11:08:21.619709673 +0100

+++ openssh-5.3p1/nsskeys.c	2009-11-27 13:45:42.000000000 +0100

@@ -0,0 +1,443 @@

+/*

+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.

+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.

+ * Copyright (c) 2009 Pierre Ossman for Cendio AB

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, this list of conditions and the following disclaimer.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+#include "includes.h"

+#ifdef HAVE_LIBNSS

+

+#include <sys/types.h>

+

+#include <stdarg.h>

+#include <string.h>

+#include <unistd.h>

+

+#include <openssl/evp.h>

+

+#include <nss.h>

+#include <keyhi.h>

+#include <pk11pub.h>

+#include <cert.h>

+#include <secmod.h>

+#include <secerr.h>

+

+#include "xmalloc.h"

+#include "key.h"

+#include "log.h"

+#include "misc.h"

+#include "nsskeys.h"

+#include "pathnames.h"

+

+static char *

+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)

+{

+	char *password = arg;

+	if (retry || password == NULL)

+		return NULL;

+	

+	return PL_strdup(password);

+}

+

+int

+nss_init(PK11PasswordFunc pwfn)

+{

+	char *dbpath;

+	char buf[MAXPATHLEN];

+

+	if (NSS_IsInitialized())

+		return 0;

+

+	if ((dbpath=getenv("NSS_DB_PATH")) == NULL) {

+		struct passwd *pw;

+		if ((pw = getpwuid(getuid())) == NULL ||

+			pw->pw_dir == NULL) {

+			return -1;

+		}

+		snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,

+			    _PATH_SSH_USER_DIR);

+		dbpath = buf;

+	}

+

+	if (NSS_Init(dbpath) != SECSuccess) {

+		debug("Failed to initialize NSS library. Attempting without DB...");

+		if (NSS_NoDB_Init(NULL) != SECSuccess)

+			return -1;

+	}

+

+	if (pwfn == NULL) {

+		pwfn = password_cb;

+	}

+

+	PK11_SetPasswordFunc(pwfn);

+	

+	return 0;

+}

+

+int

+nss_load_module(const char *modpath)

+{

+	char spec[MAXPATHLEN + 40];

+	SECMODModule *module;

+

+	debug("loading PKCS#11 module '%s'", modpath);

+

+	snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath);

+	module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);

+	if (!module || !module->loaded) {

+		if (module)

+			SECMOD_DestroyModule(module);

+		return -1;

+	}

+

+	return 0;

+}

+

+static Key *

+make_key_from_privkey(SECKEYPrivateKey *privk, char *password)

+{

+	Key *k;

+	switch (SECKEY_GetPrivateKeyType(privk)) {

+		case rsaKey:

+			k = key_new_nss(KEY_RSA);

+			break;

+		case dsaKey:

+			k = key_new_nss(KEY_DSA);

+			break;

+		default:

+			return NULL;

+	}

+	k->nss->pubk = SECKEY_ConvertToPublicKey(privk);

+	if (k->nss->pubk != NULL) {

+		k->nss->privk = SECKEY_CopyPrivateKey(privk);

+	}

+	if (k->nss->privk != NULL) {

+		if (password != NULL) {

+			k->nss->privk->wincx = xstrdup(password);

+		}

+		return k;

+	}

+	key_free(k);

+	return NULL;

+}

+

+static Key **

+add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated)

+{

+	if (*allocated < *i + 2) {

+		*allocated += 16;

+		keys = xrealloc(keys, *allocated, sizeof(k));

+	}

+	keys[*i] = k;

+	(*i)++;

+	keys[*i] = NULL;

+	return keys;

+}

+

+static int

+nss_convert_pubkey(Key *k)

+{

+	u_char *n;

+	unsigned int len;

+	char *p;

+

+	switch (k->type) {

+		case KEY_RSA:

+			n = k->nss->pubk->u.rsa.modulus.data;

+			len = k->nss->pubk->u.rsa.modulus.len;

+

+			if (BN_bin2bn(n, len, k->rsa->n) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+

+			n = k->nss->pubk->u.rsa.publicExponent.data;

+			len = k->nss->pubk->u.rsa.publicExponent.len;

+

+			if (BN_bin2bn(n, len, k->rsa->e) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+			break;

+		case KEY_DSA:

+			n = k->nss->pubk->u.dsa.params.prime.data;

+			len = k->nss->pubk->u.dsa.params.prime.len;

+

+			if (BN_bin2bn(n, len, k->dsa->p) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+

+			n = k->nss->pubk->u.dsa.params.subPrime.data;

+			len = k->nss->pubk->u.dsa.params.subPrime.len;

+

+			if (BN_bin2bn(n, len, k->dsa->q) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+

+			n = k->nss->pubk->u.dsa.params.base.data;

+			len = k->nss->pubk->u.dsa.params.base.len;

+

+			if (BN_bin2bn(n, len, k->dsa->g) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+

+			n = k->nss->pubk->u.dsa.publicValue.data;

+			len = k->nss->pubk->u.dsa.publicValue.len;

+

+			if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) {

+				fatal("nss_convert_pubkey: BN_bin2bn failed");

+			}

+			break;

+	}

+

+	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);

+	debug("fingerprint %u %s", key_size(k), p);

+	xfree(p);

+

+	return 0;

+}

+

+static int

+nss_authenticate(PK11SlotInfo *slot, char *password, int pwprompts, char **output)

+{

+	int i, quit;

+

+	*output = NULL;

+

+	if (!PK11_NeedLogin(slot))

+		return 0;

+

+	for (i = 0; i < pwprompts; i++) {

+		SECStatus rv;

+		CK_TOKEN_INFO info;

+

+		rv = PK11_GetTokenInfo(slot, &info;;

+		if (rv != SECSuccess) {

+			error("Failed to get information for token %s",

+				PK11_GetTokenName(slot));

+			return -1;

+		}

+

+		if (info.flags & CKF_USER_PIN_LOCKED) {

+			error("Passphrase for token %s is locked",

+				PK11_GetTokenName(slot));

+			return -1;

+		}

+

+		if (info.flags & CKF_USER_PIN_FINAL_TRY)

+			debug2("Final passphrase attempt for token %s",

+				PK11_GetTokenName(slot));

+		else if (info.flags & CKF_USER_PIN_COUNT_LOW)

+			debug2("Previous failed passphrase attempt for token %s",

+				PK11_GetTokenName(slot));

+

+		if (password != NULL)

+			*output = xstrdup(password);

+		else {

+			char *prompt;

+			if (asprintf(&prompt, "Enter passphrase for token %s: ",

+				PK11_GetTokenName(slot)) < 0)

+				fatal("password_cb: asprintf failed");

+			*output = read_passphrase(prompt, RP_ALLOW_STDIN);

+		}

+

+		if (strcmp(*output, "") == 0) {

+			debug2("no passphrase given, ignoring slot");

+			quit = 1;

+			goto cleanup;

+		}

+

+		quit = 0;

+

+		rv = PK11_Authenticate(slot, PR_TRUE, *output);

+		if (rv == SECSuccess)

+			return 0;

+

+		switch (PORT_GetError()) {

+		case SEC_ERROR_BAD_PASSWORD:

+			debug2("Incorrect passphrase, try again...");

+			break;

+		case SEC_ERROR_INVALID_ARGS:

+		case SEC_ERROR_BAD_DATA:

+			debug2("Invalid passphrase, try again...");

+			break;

+#if HAVE_SEC_ERROR_LOCKED_PASSWORD

+		case SEC_ERROR_LOCKED_PASSWORD:

+			error("Unable to authenticate, token passphrase is locked");

+			quit = 1;

+			break;

+#endif

+		default:

+			error("Failure while authenticating against token");

+			quit = 1;

+		}

+

+cleanup:

+		memset(*output, 0, strlen(*output));

+		xfree(*output);

+		*output = NULL;

+

+		/* No point in retrying the same password */

+		if (password != NULL)

+			break;

+

+		if (quit)

+			break;

+	}

+

+	return -1;

+}

+

+static Key **

+nss_find_privkeys(const char *tokenname, const char *keyname,

+    char *password, int pwprompts)

+{

+	Key *k = NULL;

+	Key **keys = NULL;

+	PK11SlotList *slots;

+	PK11SlotListElement *sle;

+	size_t allocated = 0;

+	size_t i = 0;

+

+	if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) {

+		if (tokenname == NULL) {

+			debug("No NSS token found");

+		} else {

+			debug("NSS token not found: %s", tokenname);

+		}

+		return NULL;

+	}

+	

+	for (sle = slots->head; sle; sle = sle->next) {

+		SECKEYPrivateKeyList *list;

+		SECKEYPrivateKeyListNode *node;

+		char *tmppass;

+

+		if (nss_authenticate(sle->slot, password, pwprompts, &tmppass) == -1)

+			break;

+

+		debug("Looking for: %s:%s", tokenname, keyname);

+		list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,

+			tmppass);

+		if (list == NULL && keyname != NULL) {

+			char *fooname;

+			/* NSS bug workaround */

+			if (asprintf(&fooname, "%s~", keyname) < 0) {

+				error("nss_find_privkey: asprintf failed");

+				PK11_FreeSlotList(slots);

+				return NULL;

+			}

+			list = PK11_ListPrivKeysInSlot(sle->slot, fooname,

+			tmppass);

+			free(fooname);

+		}

+		if (list == NULL && keyname != NULL) {

+			CERTCertificate *cert;

+			SECKEYPrivateKey *privk;

+			cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(),

+				(char *)keyname);

+			if (cert == NULL)

+				goto cleanup;

+			privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass);

+			CERT_DestroyCertificate(cert);

+			if (privk == NULL)

+				goto cleanup;

+			if ((k=make_key_from_privkey(privk, tmppass)) != NULL) {

+				nss_convert_pubkey(k);

+				keys = add_key_to_list(k, keys, &i, &allocated);

+			}

+			SECKEY_DestroyPrivateKey(privk);

+		} else {

+			if (list == NULL)

+				goto cleanup;

+			for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);

+				node=PRIVKEY_LIST_NEXT(node))

+				if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) {

+					nss_convert_pubkey(k);

+					keys = add_key_to_list(k, keys, &i, &allocated);

+				}

+			SECKEY_DestroyPrivateKeyList(list);

+		}

+cleanup:

+		if (tmppass != NULL) {

+			memset(tmppass, 0, strlen(tmppass));

+			xfree(tmppass);

+		}

+	}

+	PK11_FreeSlotList(slots);

+

+	return keys;

+}

+

+Key **

+nss_get_keys(const char *tokenname, const char *keyname,

+    char *password, int pwprompts, int num_modules, const char **modules)

+{

+	int i;

+	Key **keys;

+

+	if (nss_init(NULL) == -1) {

+		error("Failed to initialize NSS library");

+		return NULL;

+	}

+

+	for (i = 0;i < num_modules;i++) {

+		if (nss_load_module(modules[i]) == -1) {

+			error("Failed to load PKCS#11 module '%s'", modules[i]);

+			return NULL;

+		}

+	}

+

+	keys = nss_find_privkeys(tokenname, keyname, password, pwprompts);

+	if (keys == NULL && keyname != NULL) {

+		error("Cannot find key in nss, token removed");

+		return NULL;

+	}

+#if 0

+	keys = xcalloc(3, sizeof(Key *));

+

+	if (k->type == KEY_RSA) {

+		n = key_new_nss_copy(KEY_RSA1, k);

+

+		keys[0] = n;

+		keys[1] = k;

+		keys[2] = NULL;

+	} else {

+		keys[0] = k;

+		keys[1] = NULL;

+	}

+#endif

+	return keys;

+}

+

+char *

+nss_get_key_label(Key *key)

+{

+	char *label, *nickname;

+	

+	nickname = PK11_GetPrivateKeyNickname(key->nss->privk);

+	label = xstrdup(nickname);

+	PORT_Free(nickname);

+

+	return label;

+}

+

+#endif /* HAVE_LIBNSS */

diff -up /dev/null openssh-5.3p1/nsskeys.h

--- /dev/null	2009-11-27 11:08:21.619709673 +0100

+++ openssh-5.3p1/nsskeys.h	2009-11-27 13:43:01.000000000 +0100

@@ -0,0 +1,39 @@

+/*

+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.

+ * Copyright (c) 2007 Red Hat, Inc.  All rights reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, this list of conditions and the following disclaimer.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,