diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c

--- openssh-5.4p1/auth2-pubkey.c.pka	2010-03-09 08:01:05.000000000 +0100

+++ openssh-5.4p1/auth2-pubkey.c	2010-03-09 08:07:15.000000000 +0100

@@ -187,27 +187,15 @@ done:

 /* return 1 if user allows given key */

 static int

-user_key_allowed2(struct passwd *pw, Key *key, char *file)

+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)

 {

 	char line[SSH_MAX_PUBKEY_BYTES];

 	const char *reason;

 	int found_key = 0;

-	FILE *f;

 	u_long linenum = 0;

 	Key *found;

 	char *fp;

-	/* Temporarily use the user's uid. */

-	temporarily_use_uid(pw);

-

-	debug("trying public key file %s", file);

-	f = auth_openkeyfile(file, pw, options.strict_modes);

-

-	if (!f) {

-		restore_uid();

-		return 0;

-	}

-

 	found_key = 0;

 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);

@@ -278,8 +266,6 @@ user_key_allowed2(struct passwd *pw, Key

 			break;

 		}

 	}

-	restore_uid();

-	fclose(f);

 	key_free(found);

 	if (!found_key)

 		debug2("key not found");

@@ -327,13 +313,153 @@ user_cert_trusted_ca(struct passwd *pw, 

 	return ret;

 }

-/* check whether given key is in .ssh/authorized_keys* */

+/* return 1 if user allows given key */

+static int

+user_key_allowed2(struct passwd *pw, Key *key, char *file)

+{

+	FILE *f;

+	int found_key = 0;

+

+	/* Temporarily use the user's uid. */

+	temporarily_use_uid(pw);

+

+	debug("trying public key file %s", file);

+	f = auth_openkeyfile(file, pw, options.strict_modes);

+

+ 	if (f) {

+ 		found_key = user_search_key_in_file (f, file, key, pw);

+		fclose(f);

+	}

+

+	restore_uid();

+	return found_key;

+}

+

+#ifdef WITH_PUBKEY_AGENT

+

+#define WHITESPACE " \t\r\n"

+

+/* return 1 if user allows given key */

+static int

+user_key_via_agent_allowed2(struct passwd *pw, Key *key)

+{

+	FILE *f;

+	int found_key = 0;

+	char *pubkey_agent_string = NULL;

+	char *tmp_pubkey_agent_string = NULL;

+	char *progname;

+	char *cp;

+	struct passwd *runas_pw;

+	struct stat st;

+

+	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')

+		return -1;

+

+	/* get the run as identity from config */

+	runas_pw = (options.pubkey_agent_runas == NULL)? pw

+	    : getpwnam (options.pubkey_agent_runas);

+	if (!runas_pw) {

+		error("%s: getpwnam(\"%s\"): %s", __func__,

+		    options.pubkey_agent_runas, strerror(errno));

+		return 0;

+	}

+

+	/* Temporarily use the specified uid. */

+	if (runas_pw->pw_uid != 0)

+		temporarily_use_uid(runas_pw);

+

+	pubkey_agent_string = percent_expand(options.pubkey_agent,

+	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

+

+	/* Test whether agent can be modified by non root user */

+	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);

+	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

+

+	debug3("%s: checking program '%s'", __func__, progname);

+

+	if (stat (progname, &st) < 0) {

+		error("%s: stat(\"%s\"): %s", __func__,

+		    progname, strerror(errno));

+		goto go_away;

+	}

+

+	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {

+		error("bad ownership or modes for pubkey agent \"%s\"",

+		    progname);

+		goto go_away;

+	}

+

+	if (!S_ISREG(st.st_mode)) {

+		error("pubkey agent \"%s\" is not a regular file",

+		    progname);

+		goto go_away;

+	}

+

+	/*

+	 * Descend the path, checking that each component is a

+	 * root-owned directory with strict permissions.

+	 */

+	do {

+		if ((cp = strrchr(progname, '/')) == NULL)

+			break;

+		else 

+			*cp = '\0';

+	

+		debug3("%s: checking component '%s'", __func__, progname);

+

+		if (stat(progname, &st) != 0) {

+			error("%s: stat(\"%s\"): %s", __func__,

+			    progname, strerror(errno));

+			goto go_away;

+		}

+		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {

+			error("bad ownership or modes for pubkey agent path component \"%s\"",

+			    progname);

+			goto go_away;

+		}

+		if (!S_ISDIR(st.st_mode)) {

+			error("pubkey agent path component \"%s\" is not a directory",

+			    progname);

+			goto go_away;

+		}

+	} while (0);

+

+	/* open the pipe and read the keys */

+	f = popen (pubkey_agent_string, "r");

+	if (!f) {

+		error("%s: popen (\"%s\", \"r\"): %s", __func__,

+		    pubkey_agent_string, strerror (errno));

+		goto go_away;

+	}

+

+	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);

+	pclose (f);

+

+go_away:

+	if (tmp_pubkey_agent_string)

+		xfree (tmp_pubkey_agent_string);

+	if (pubkey_agent_string)

+		xfree (pubkey_agent_string);

+

+	if (runas_pw->pw_uid != 0)

+		restore_uid();

+	return found_key;

+}

+#endif

+

+/* check whether given key is in 

 int

 user_key_allowed(struct passwd *pw, Key *key)

 {

 	int success;

 	char *file;

+#ifdef WITH_PUBKEY_AGENT

+	success = user_key_via_agent_allowed2(pw, key);

+	if (success >= 0)

+		return success;

+#endif

+

 	if (auth_key_is_revoked(key))

 		return 0;

 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))

diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac

--- openssh-5.4p1/configure.ac.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/configure.ac	2010-03-09 08:01:05.000000000 +0100

@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,

 	esac ]

 )

+# Check whether user wants pubkey agent support

+PKA_MSG="no"

+AC_ARG_WITH(pka,

+	[  --with-pka      Enable pubkey agent support],

+	[

+		if test "x$withval" != "xno" ; then

+			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])

+			PKA_MSG="yes"

+		fi

+	]

+)

+

 dnl    Checks for library functions. Please keep in alphabetical order

 AC_CHECK_FUNCS( \

 	arc4random \

@@ -4206,6 +4218,7 @@ echo "               Linux audit support

 echo "                 Smartcard support: $SCARD_MSG"

 echo "                     S/KEY support: $SKEY_MSG"

 echo "              TCP Wrappers support: $TCPW_MSG"

+echo "                       PKA support: $PKA_MSG"

 echo "              MD5 password support: $MD5_MSG"

 echo "                   libedit support: $LIBEDIT_MSG"

 echo "  Solaris process contract support: $SPC_MSG"

diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c

--- openssh-5.4p1/servconf.c.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/servconf.c	2010-03-09 09:04:57.000000000 +0100

@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions 

 	options->num_permitted_opens = -1;

 	options->adm_forced_command = NULL;

 	options->chroot_directory = NULL;

+	options->pubkey_agent = NULL;

+	options->pubkey_agent_runas = NULL;

 	options->zero_knowledge_password_authentication = -1;

 	options->revoked_keys_file = NULL;

 	options->trusted_user_ca_keys = NULL;

@@ -315,6 +317,7 @@ typedef enum {

 	sUsePrivilegeSeparation, sAllowAgentForwarding,

 	sZeroKnowledgePasswordAuthentication, sHostCertificate,

 	sRevokedKeys, sTrustedUserCAKeys,

+	sPubkeyAgent, sPubkeyAgentRunAs,

 	sDeprecated, sUnsupported

 } ServerOpCodes;

@@ -437,6 +440,13 @@ static struct {

 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },

 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },

 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },

+#ifdef WITH_PUBKEY_AGENT

+	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },

+	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },

+#else

+	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },

+	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },

+#endif

 	{ NULL, sBadOption, 0 }

 };

@@ -1345,6 +1355,20 @@ process_server_config_line(ServerOptions

 		charptr = &options->revoked_keys_file;

 		goto parse_filename;

+	case sPubkeyAgent:

+		len = strspn(cp, WHITESPACE);

+		if (*activep && options->pubkey_agent == NULL)

+			options->pubkey_agent = xstrdup(cp + len);

+		return 0;

+

+	case sPubkeyAgentRunAs:

+		charptr = &options->pubkey_agent_runas;

+

+		arg = strdelim(&cp;;

+		if (*activep && *charptr == NULL)

+			*charptr = xstrdup(arg);

+		break;

+

 	case sDeprecated:

 		logit("%s line %d: Deprecated option %s",

 		    filename, linenum, arg);

@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d

 	M_CP_INTOPT(gss_authentication);

 	M_CP_INTOPT(rsa_authentication);

 	M_CP_INTOPT(pubkey_authentication);

+	M_CP_STROPT(pubkey_agent);

+	M_CP_STROPT(pubkey_agent_runas);

 	M_CP_INTOPT(kerberos_authentication);

 	M_CP_INTOPT(hostbased_authentication);

 	M_CP_INTOPT(kbd_interactive_authentication);

@@ -1683,6 +1709,8 @@ dump_config(ServerOptions *o)

 	dump_cfg_string(sChrootDirectory, o->chroot_directory);

 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);

 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);

+	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);

+	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);

 	/* string arguments requiring a lookup */

 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h

--- openssh-5.4p1/servconf.h.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/servconf.h	2010-03-09 09:05:29.000000000 +0100

@@ -157,6 +157,8 @@ typedef struct {

 	char   *chroot_directory;

 	char   *revoked_keys_file;

 	char   *trusted_user_ca_keys;

+	char   *pubkey_agent;

+	char   *pubkey_agent_runas;

 }       ServerOptions;

 void	 initialize_server_options(ServerOptions *);

diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0

--- openssh-5.4p1/sshd_config.0.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/sshd_config.0	2010-03-09 09:07:35.000000000 +0100

@@ -352,7 +352,8 @@ DESCRIPTION

              KbdInteractiveAuthentication, KerberosAuthentication,

              MaxAuthTries, MaxSessions, PasswordAuthentication,

              PermitEmptyPasswords, PermitOpen, PermitRootLogin,

-             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,

+             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,

+             RhostsRSAAuthentication, RSAAuthentication,

              X11DisplayOffset, X11Forwarding and X11UseLocalHost.

      MaxAuthTries

@@ -467,6 +468,17 @@ DESCRIPTION

              this file is not readable, then public key authentication will be

              refused for all users.

+     PubkeyAgent

+             Specifies which agent is used for lookup of the user's public

+             keys. Empty string means to use the authorized_keys file.  By

+             default there is no PubkeyAgent set.  Note that this option has

+             an effect only with PubkeyAuthentication switched on.

+

+     PubkeyAgentRunAs

+             Specifies the user under whose account the PubkeyAgent is run.

+             Empty string (the default value) means the user being authorized

+             is used.

+

      RhostsRSAAuthentication

              Specifies whether rhosts or /etc/hosts.equiv authentication to-

              gether with successful RSA host authentication is allowed.  The

diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5

--- openssh-5.4p1/sshd_config.5.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/sshd_config.5	2010-03-09 09:06:40.000000000 +0100

@@ -618,6 +618,9 @@ Available keywords are

 .Cm KerberosAuthentication ,

 .Cm MaxAuthTries ,

 .Cm MaxSessions ,

+.Cm PubkeyAuthentication ,

+.Cm PubkeyAgent ,

+.Cm PubkeyAgentRunAs ,

 .Cm PasswordAuthentication ,

 .Cm PermitEmptyPasswords ,

 .Cm PermitOpen ,

@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.

 Keys listed in this file will be refused for public key authentication.

 Note that if this file is not readable, then public key authentication will

 be refused for all users.

++.It Cm PubkeyAgent

++Specifies which agent is used for lookup of the user's public

++keys. Empty string means to use the authorized_keys file.

++By default there is no PubkeyAgent set.

++Note that this option has an effect only with PubkeyAuthentication

++switched on.

++.It Cm PubkeyAgentRunAs

++Specifies the user under whose account the PubkeyAgent is run. Empty

++string (the default value) means the user being authorized is used.

++.Dq 

 .It Cm RhostsRSAAuthentication

 Specifies whether rhosts or /etc/hosts.equiv authentication together

 with successful RSA host authentication is allowed.

diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config

--- openssh-5.4p1/sshd_config.pka	2010-03-09 08:01:04.000000000 +0100

+++ openssh-5.4p1/sshd_config	2010-03-09 08:01:06.000000000 +0100

@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV

 #RSAAuthentication yes

 #PubkeyAuthentication yes

 #AuthorizedKeysFile	.ssh/authorized_keys

+#PubkeyAgent none

+#PubkeyAgentRunAs nobody

 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

 #RhostsRSAAuthentication no