add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up debug

verbosity.

Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run
in debug mode ("ssh-agent -d"), so we get to see errors from the
PKCS#11 code.

ok markus@

5 files changed, 82 insertions, 14 deletions

diff --git a/usr.bin/ssh/ssh-add.1 b/usr.bin/ssh/ssh-add.1
index 90826f66739..d4e1c603be6 100644
--- a/usr.bin/ssh/ssh-add.1
+++ b/usr.bin/ssh/ssh-add.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-add.1,v 1.68 2019/01/21 07:09:10 jmc Exp $
+.\"	$OpenBSD: ssh-add.1,v 1.69 2019/01/21 12:53:35 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdkLlqXx
+.Op Fl cDdkLlqvXx
 .Op Fl E Ar fingerprint_hash
 .Op Fl t Ar life
 .Op Ar
@@ -143,6 +143,16 @@ Set a maximum lifetime when adding identities to an agent.
 The lifetime may be specified in seconds or in a time format
 specified in
 .Xr sshd_config 5 .
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
+This is helpful in debugging problems.
+Multiple
+.Fl v
+options increase the verbosity.
+The maximum is 3.
 .It Fl X
 Unlock the agent.
 .It Fl x
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index ad57a13ffeb..d9c8ef394cb 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.137 2019/01/20 22:03:29 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.138 2019/01/21 12:53:35 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -552,6 +552,7 @@ usage(void)
 	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
 	fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching private key.\n");
 	fprintf(stderr, "  -q          Be quiet after a successful operation.\n");
+	fprintf(stderr, "  -v          Be more verbose.\n");
 }
 
 int
@@ -563,6 +564,8 @@ main(int argc, char **argv)
 	char *pkcs11provider = NULL;
 	int r, i, ch, deleting = 0, ret = 0, key_only = 0;
 	int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0;
+	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
+	LogLevel log_level = SYSLOG_LEVEL_INFO;
 
 	ssh_malloc_init();	/* must be called before any mallocs */
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -570,6 +573,8 @@ main(int argc, char **argv)
 
 	OpenSSL_add_all_algorithms();
 
+	log_init(__progname, log_level, log_facility, 1);
+
 	setvbuf(stdout, NULL, _IOLBF, 0);
 
 	/* First, get a connection to the authentication agent. */
@@ -585,8 +590,14 @@ main(int argc, char **argv)
 		exit(2);
 	}
 
-	while ((ch = getopt(argc, argv, "klLcdDTxXE:e:M:m:qs:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "vklLcdDTxXE:e:M:m:qs:t:")) != -1) {
 		switch (ch) {
+		case 'v':
+			if (log_level == SYSLOG_LEVEL_INFO)
+				log_level = SYSLOG_LEVEL_DEBUG1;
+			else if (log_level < SYSLOG_LEVEL_DEBUG3)
+				log_level++;
+			break;
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
 			if (fingerprint_hash == -1)
@@ -658,6 +669,7 @@ main(int argc, char **argv)
 			goto done;
 		}
 	}
+	log_init(__progname, log_level, log_facility, 1);
 
 	if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
 		fatal("Invalid combination of actions");
diff --git a/usr.bin/ssh/ssh-pkcs11-client.c b/usr.bin/ssh/ssh-pkcs11-client.c
index 50bdfa6fda6..20284d98ecf 100644
--- a/usr.bin/ssh/ssh-pkcs11-client.c
+++ b/usr.bin/ssh/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-client.c,v 1.14 2019/01/20 22:57:45 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.15 2019/01/21 12:53:35 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -41,8 +41,8 @@
 
 /* borrows code from sftp-server and ssh-agent */
 
-int fd = -1;
-pid_t pid = -1;
+static int fd = -1;
+static pid_t pid = -1;
 
 static void
 send_msg(struct sshbuf *m)
@@ -256,7 +256,10 @@ static int
 pkcs11_start_helper(void)
 {
 	int pair[2];
-	char *helper;
+	char *helper, *verbosity = NULL;
+
+	if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+		verbosity = "-vvv";
 
 	if (pkcs11_start_helper_methods() == -1) {
 		error("pkcs11_start_helper_methods failed");
@@ -281,7 +284,9 @@ pkcs11_start_helper(void)
 		helper = getenv("SSH_PKCS11_HELPER");
 		if (helper == NULL || strlen(helper) == 0)
 			helper = _PATH_SSH_PKCS11_HELPER;
-		execlp(helper, helper, (char *)NULL);
+		debug("%s: starting %s %s", __func__, helper,
+		    verbosity == NULL ? "" : verbosity);
+		execlp(helper, helper, verbosity, (char *)NULL);
 		fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
 		_exit(1);
 	}
diff --git a/usr.bin/ssh/ssh-pkcs11-helper.8 b/usr.bin/ssh/ssh-pkcs11-helper.8
index 3728c4e4e7e..ba5c30fa052 100644
--- a/usr.bin/ssh/ssh-pkcs11-helper.8
+++ b/usr.bin/ssh/ssh-pkcs11-helper.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $
+.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.5 2019/01/21 12:53:35 djm Exp $
 .\"
 .\" Copyright (c) 2010 Markus Friedl.  All rights reserved.
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: January 21 2019 $
 .Dt SSH-PKCS11-HELPER 8
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nd ssh-agent helper program for PKCS#11 support
 .Sh SYNOPSIS
 .Nm
+.Op Fl v
 .Sh DESCRIPTION
 .Nm
 is used by
@@ -31,6 +32,28 @@ to access keys provided by a PKCS#11 token.
 .Nm
 is not intended to be invoked by the user, but from
 .Xr ssh-agent 1 .
+.Pp
+A single option is supported:
+.Bl -tag -width Ds
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
+This is helpful in debugging problems.
+Multiple
+.Fl v
+options increase the verbosity.
+The maximum is 3.
+.Pp
+Note that
+.Xr ssh-agent 1
+will automatically pass the
+.Fl v
+flag to
+.Nm
+when it has itself been placed in debug mode.
+.El
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
diff --git a/usr.bin/ssh/ssh-pkcs11-helper.c b/usr.bin/ssh/ssh-pkcs11-helper.c
index fabeac86480..656cf6867c1 100644
--- a/usr.bin/ssh/ssh-pkcs11-helper.c
+++ b/usr.bin/ssh/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.15 2019/01/20 22:51:37 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.16 2019/01/21 12:53:35 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -300,11 +300,12 @@ cleanup_exit(int i)
 	_exit(i);
 }
 
+
 int
 main(int argc, char **argv)
 {
 	fd_set *rset, *wset;
-	int r, in, out, max, log_stderr = 0;
+	int r, ch, in, out, max, log_stderr = 0;
 	ssize_t len, olen, set_size;
 	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
 	LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -313,10 +314,27 @@ main(int argc, char **argv)
 
 	ssh_malloc_init();	/* must be called before any mallocs */
 	TAILQ_INIT(&pkcs11_keylist);
-	pkcs11_init(0);
 
 	log_init(__progname, log_level, log_facility, log_stderr);
 
+	while ((ch = getopt(argc, argv, "v")) != -1) {
+		switch (ch) {
+		case 'v':
+			log_stderr = 1;
+			if (log_level == SYSLOG_LEVEL_ERROR)
+				log_level = SYSLOG_LEVEL_DEBUG1;
+			else if (log_level < SYSLOG_LEVEL_DEBUG3)
+				log_level++;
+			break;
+		default:
+			fprintf(stderr, "usage: %s [-v]\n", __progname);
+			exit(1);
+		}
+	}
+
+	log_init(__progname, log_level, log_facility, log_stderr);
+
+	pkcs11_init(0);
 	in = STDIN_FILENO;
 	out = STDOUT_FILENO;