Adding upstream version 2:2.6.1.upstream/2%2.6.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 857 insertions, 0 deletions

diff --git a/tokens/Makemodule.am b/tokens/Makemodule.am
new file mode 100644
index 0000000..4be7bc5
--- /dev/null
+++ b/tokens/Makemodule.am
@@ -0,0 +1,29 @@
+EXTRA_DIST += tokens/libcryptsetup-token.sym
+
+TOKENS_LDFLAGS = $(AM_LDFLAGS) -no-undefined -avoid-version \
+	-Wl,--version-script=$(top_srcdir)/tokens/libcryptsetup-token.sym
+
+tokendir = ${EXTERNAL_LUKS2_TOKENS_PATH}
+
+if SSHPLUGIN_TOKEN
+libcryptsetup_token_ssh_la_LDFLAGS = $(TOKENS_LDFLAGS)
+libcryptsetup_token_ssh_la_SOURCES = tokens/ssh/libcryptsetup-token-ssh.c \
+				     tokens/ssh/ssh-utils.c \
+				     tokens/ssh/ssh-utils.h
+libcryptsetup_token_ssh_la_LIBADD = libcryptsetup.la @LIBSSH_LIBS@ @JSON_C_LIBS@
+token_LTLIBRARIES = libcryptsetup-token-ssh.la
+
+cryptsetup_ssh_SOURCES = tokens/ssh/cryptsetup-ssh.c \
+			 tokens/ssh/ssh-utils.c \
+			 tokens/ssh/ssh-utils.h \
+			 src/utils_tools.c \
+			 src/utils_password.c \
+			 lib/utils_io.c \
+			 lib/utils_loop.c
+cryptsetup_ssh_LDADD = -lm libcryptsetup.la @LIBSSH_LIBS@ @JSON_C_LIBS@ @POPT_LIBS@ \
+		       @PWQUALITY_LIBS@ @PASSWDQC_LIBS@ @ARGP_LIBS@
+
+cryptsetup_ssh_CFLAGS = $(AM_CFLAGS)
+
+sbin_PROGRAMS += cryptsetup-ssh
+endif
diff --git a/tokens/libcryptsetup-token.sym b/tokens/libcryptsetup-token.sym
new file mode 100644
index 0000000..17ec599
--- /dev/null
+++ b/tokens/libcryptsetup-token.sym
@@ -0,0 +1,9 @@
+CRYPTSETUP_TOKEN_1.0 {
+    global: cryptsetup_token_open;
+	    cryptsetup_token_open_pin;
+	    cryptsetup_token_buffer_free;
+	    cryptsetup_token_validate;
+	    cryptsetup_token_dump;
+	    cryptsetup_token_version;
+    local: *;
+};
diff --git a/tokens/ssh/cryptsetup-ssh.c b/tokens/ssh/cryptsetup-ssh.c
new file mode 100644
index 0000000..7c0bf02
--- /dev/null
+++ b/tokens/ssh/cryptsetup-ssh.c
@@ -0,0 +1,420 @@
+/*
+ * Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE)
+ *
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2021-2023 Vojtech Trefny
+ *
+ * Use:
+ *  - generate ssh example token
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <argp.h>
+#include <json-c/json.h>
+#include <termios.h>
+#include <stdbool.h>
+#include "libcryptsetup.h"
+#include "ssh-utils.h"
+#include "../src/cryptsetup.h"
+
+#define TOKEN_NAME "ssh"
+
+#define l_err(cd, x...) crypt_logf(cd, CRYPT_LOG_ERROR, x)
+#define l_dbg(cd, x...) crypt_logf(cd, CRYPT_LOG_DEBUG, x)
+
+#define OPT_SSH_SERVER  1
+#define OPT_SSH_USER	2
+#define OPT_SSH_PATH	3
+#define OPT_KEY_PATH	4
+#define OPT_DEBUG	5
+#define OPT_DEBUG_JSON	6
+#define OPT_KEY_SLOT	7
+
+void tools_cleanup(void)
+{
+}
+
+
+static int token_add(
+		const char *device,
+		const char *server,
+		const char *user,
+		const char *path,
+		const char *keypath,
+		int keyslot)
+
+{
+	struct crypt_device *cd;
+	json_object *jobj = NULL;
+	json_object *jobj_keyslots = NULL;
+	const char *string_token;
+	int r, token;
+
+	r = crypt_init(&cd, device);
+	if (r)
+		return r;
+
+	r = crypt_load(cd, CRYPT_LUKS2, NULL);
+	if (r) {
+		l_err(cd, _("Device %s is not a valid LUKS device."), device);
+		goto out;
+	}
+
+	r = -EINVAL;
+	jobj = json_object_new_object();
+	if (!jobj)
+		goto out;
+
+	/* type is mandatory field in all tokens and must match handler name member */
+	json_object_object_add(jobj, "type", json_object_new_string(TOKEN_NAME));
+
+	jobj_keyslots = json_object_new_array();
+
+	/* mandatory array field (may be empty and assigned later */
+	json_object_object_add(jobj, "keyslots", jobj_keyslots);
+
+	/* custom metadata */
+	json_object_object_add(jobj, "ssh_server", json_object_new_string(server));
+	json_object_object_add(jobj, "ssh_user", json_object_new_string(user));
+	json_object_object_add(jobj, "ssh_path", json_object_new_string(path));
+	json_object_object_add(jobj, "ssh_keypath", json_object_new_string(keypath));
+
+	string_token = json_object_to_json_string_ext(jobj, JSON_C_TO_STRING_PLAIN);
+	if (!string_token) {
+		r = -EINVAL;
+		goto out;
+	}
+
+	l_dbg(cd, "Token JSON: %s", string_token);
+
+	r = crypt_token_json_set(cd, CRYPT_ANY_TOKEN, string_token);
+	if (r < 0) {
+		l_err(cd, _("Failed to write ssh token json."));
+		goto out;
+	}
+
+	token = r;
+	r = crypt_token_assign_keyslot(cd, token, keyslot);
+	if (r != token) {
+		crypt_token_json_set(cd, token, NULL);
+		r = -EINVAL;
+	}
+out:
+	json_object_put(jobj);
+	crypt_free(cd);
+	return r;
+}
+
+const char *argp_program_version = "cryptsetup-ssh " PACKAGE_VERSION;
+
+static char doc[] = N_("Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected " \
+		       "to an SSH server\v" \
+		       "This plugin currently allows only adding a token to an existing key slot.\n\n" \
+		       "Specified SSH server must contain a key file on the specified path with " \
+		       "a passphrase for an existing key slot on the device.\n" \
+		       "Provided credentials will be used by cryptsetup to get the password when " \
+		       "opening the device using the token.\n\n" \
+		       "Note: The information provided when adding the token (SSH server address, user and paths) " \
+		       "will be stored in the LUKS2 header in plaintext.");
+
+static char args_doc[] = N_("<action> <device>");
+
+static struct argp_option options[] = {
+	{0,		0,		0,	  0, N_("Options for the 'add' action:")},
+	{"ssh-server",	OPT_SSH_SERVER, "STRING", 0, N_("IP address/URL of the remote server for this token")},
+	{"ssh-user",	OPT_SSH_USER, 	"STRING", 0, N_("Username used for the remote server")},
+	{"ssh-path",	OPT_SSH_PATH,	"STRING", 0, N_("Path to the key file on the remote server")},
+	{"ssh-keypath",	OPT_KEY_PATH, 	"STRING", 0, N_("Path to the SSH key for connecting to the remote server")},
+	{"key-slot",	OPT_KEY_SLOT,	"NUM",	  0, N_("Keyslot to assign the token to. If not specified, token will "\
+						        "be assigned to the first keyslot matching provided passphrase.")},
+	{0,		0,		0,	  0, N_("Generic options:")},
+	{"verbose",	'v',		0,	  0, N_("Shows more detailed error messages")},
+	{"debug",	OPT_DEBUG,	0,	  0, N_("Show debug messages")},
+	{"debug-json",  OPT_DEBUG_JSON, 0,	  0, N_("Show debug messages including JSON metadata")},
+	{ NULL,		0, 		0, 0, NULL }
+};
+
+struct arguments {
+	char *device;
+	char *action;
+	char *ssh_server;
+	char *ssh_user;
+	char *ssh_path;
+	char *ssh_keypath;
+	int keyslot;
+	int verbose;
+	int debug;
+	int debug_json;
+};
+
+static error_t
+parse_opt (int key, char *arg, struct argp_state *state) {
+	struct arguments *arguments = state->input;
+
+	switch (key) {
+	case OPT_SSH_SERVER:
+		arguments->ssh_server = arg;
+		break;
+	case OPT_SSH_USER:
+		arguments->ssh_user = arg;
+		break;
+	case OPT_SSH_PATH:
+		arguments->ssh_path = arg;
+		break;
+	case OPT_KEY_PATH:
+		arguments->ssh_keypath = arg;
+		break;
+	case OPT_KEY_SLOT:
+		arguments->keyslot = atoi(arg);
+		break;
+	case 'v':
+		arguments->verbose = 1;
+		break;
+	case OPT_DEBUG:
+		arguments->debug = 1;
+		break;
+	case OPT_DEBUG_JSON:
+		arguments->debug = 1;
+		arguments->debug_json = 1;
+		break;
+	case ARGP_KEY_NO_ARGS:
+		argp_usage(state);
+		break;
+	case ARGP_KEY_ARG:
+		arguments->action = arg;
+		arguments->device = state->argv[state->next];
+		state->next = state->argc;
+		break;
+	default:
+		return ARGP_ERR_UNKNOWN;
+	}
+
+	return 0;
+}
+
+static struct argp argp = { options, parse_opt, args_doc, doc };
+
+
+static void _log(int level, const char *msg, void *usrptr)
+{
+	struct arguments *arguments = (struct arguments *)usrptr;
+
+	switch (level) {
+	case CRYPT_LOG_NORMAL:
+		fprintf(stdout, "%s", msg);
+		break;
+	case CRYPT_LOG_VERBOSE:
+		if (arguments && arguments->verbose)
+			fprintf(stdout, "%s", msg);
+		break;
+	case CRYPT_LOG_ERROR:
+		fprintf(stderr, "%s", msg);
+		break;
+	case CRYPT_LOG_DEBUG_JSON:
+		if (arguments && arguments->debug_json)
+			fprintf(stdout, "# %s", msg);
+		break;
+	case CRYPT_LOG_DEBUG:
+		if (arguments && arguments->debug)
+			fprintf(stdout, "# %s", msg);
+		break;
+	}
+}
+
+static int get_keyslot_for_passphrase(struct arguments *arguments, const char *pin)
+{
+	int r = 0;
+	ssh_key pkey;
+	ssh_session ssh;
+	char *password = NULL;
+	size_t password_len = 0;
+	struct crypt_device *cd = NULL;
+	char *ssh_pass = NULL;
+	size_t key_size = 0;
+	char *prompt = NULL;
+
+	r = crypt_init(&cd, arguments->device);
+	if (r < 0)
+		return r;
+	crypt_set_log_callback(cd, &_log, arguments);
+
+	r = ssh_pki_import_privkey_file(arguments->ssh_keypath, pin, NULL, NULL, &pkey);
+	if (r != SSH_OK) {
+		if (r == SSH_EOF) {
+			crypt_log(cd, CRYPT_LOG_ERROR, _("Failed to open and import private key:\n"));
+			crypt_free(cd);
+			return -EINVAL;
+		} else {
+			_log(CRYPT_LOG_ERROR, _("Failed to import private key (password protected?).\n"), NULL);
+			/* TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " */
+			r = asprintf(&prompt, _("%s@%s's password: "), arguments->ssh_user, arguments->ssh_server);
+			if (r < 0) {
+				crypt_safe_free(ssh_pass);
+				crypt_free(cd);
+				return -EINVAL;
+			}
+
+			r = tools_get_key(prompt, &ssh_pass, &key_size, 0, 0, NULL, 0, 0, 0, cd);
+			if (r < 0) {
+				free(prompt);
+				crypt_safe_free(ssh_pass);
+				crypt_free(cd);
+				return -EINVAL;
+			}
+
+			/* now try again with the password */
+			r = get_keyslot_for_passphrase(arguments, ssh_pass);
+
+			crypt_safe_free(ssh_pass);
+			crypt_free(cd);
+			free(prompt);
+
+			return r;
+		}
+	}
+
+	ssh = sshplugin_session_init(cd, arguments->ssh_server, arguments->ssh_user);
+	if (!ssh) {
+		ssh_key_free(pkey);
+		crypt_free(cd);
+		return -EINVAL;
+	}
+
+	r = sshplugin_public_key_auth(cd, ssh, pkey);
+	ssh_key_free(pkey);
+
+	if (r != SSH_AUTH_SUCCESS) {
+		crypt_free(cd);
+		return r;
+	}
+
+	r = sshplugin_download_password(cd, ssh, arguments->ssh_path, &password, &password_len);
+	if (r < 0) {
+		ssh_disconnect(ssh);
+		ssh_free(ssh);
+		crypt_free(cd);
+		return r;
+	}
+
+	ssh_disconnect(ssh);
+	ssh_free(ssh);
+
+	r = crypt_load(cd, CRYPT_LUKS2, NULL);
+	if (r < 0) {
+		crypt_safe_memzero(password, password_len);
+		free(password);
+		crypt_free(cd);
+		return r;
+	}
+
+	r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, password, password_len, 0);
+	if (r < 0) {
+		crypt_safe_memzero(password, password_len);
+		free(password);
+		crypt_free(cd);
+		return r;
+	}
+
+	arguments->keyslot = r;
+
+	crypt_safe_memzero(password, password_len);
+	free(password);
+	crypt_free(cd);
+
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	int ret = 0;
+	struct arguments arguments = { 0 };
+	arguments.keyslot = CRYPT_ANY_SLOT;
+
+	setlocale(LC_ALL, "");
+	bindtextdomain(PACKAGE, LOCALEDIR);
+	textdomain(PACKAGE);
+
+	ret = argp_parse (&argp, argc, argv, 0, 0, &arguments);
+	if (ret != 0) {
+		printf(_("Failed to parse arguments.\n"));
+		return EXIT_FAILURE;
+	}
+
+	crypt_set_log_callback(NULL, _log, &arguments);
+	if (arguments.debug)
+		crypt_set_debug_level(CRYPT_DEBUG_ALL);
+	if (arguments.debug_json)
+		crypt_set_debug_level(CRYPT_DEBUG_JSON);
+
+	if (arguments.action == NULL) {
+		printf(_("An action must be specified\n"));
+		return EXIT_FAILURE;
+	}
+
+	if (strcmp("add", arguments.action) == 0) {
+		if (!arguments.device) {
+			printf(_("Device must be specified for '%s' action.\n"), arguments.action);
+			return EXIT_FAILURE;
+		}
+
+		if (!arguments.ssh_server) {
+			printf(_("SSH server must be specified for '%s' action.\n"), arguments.action);
+			return EXIT_FAILURE;
+		}
+
+		if (!arguments.ssh_user) {
+			printf(_("SSH user must be specified for '%s' action.\n"), arguments.action);
+			return EXIT_FAILURE;
+		}
+
+		if (!arguments.ssh_path) {
+			printf(_("SSH path must be specified for '%s' action.\n"), arguments.action);
+			return EXIT_FAILURE;
+		}
+
+		if (!arguments.ssh_keypath) {
+			printf(_("SSH key path must be specified for '%s' action.\n"), arguments.action);
+			return EXIT_FAILURE;
+		}
+
+		if (arguments.keyslot == CRYPT_ANY_SLOT) {
+			ret = get_keyslot_for_passphrase(&arguments, NULL);
+			if (ret != 0) {
+				printf(_("Failed open %s using provided credentials.\n"), arguments.device);
+				return EXIT_FAILURE;
+			}
+		}
+
+		ret = token_add(arguments.device,
+				arguments.ssh_server,
+				arguments.ssh_user,
+				arguments.ssh_path,
+				arguments.ssh_keypath,
+				arguments.keyslot);
+		if (ret < 0)
+			return EXIT_FAILURE;
+		else
+			return EXIT_SUCCESS;
+	} else {
+		printf(_("Only 'add' action is currently supported by this plugin.\n"));
+		return EXIT_FAILURE;
+	}
+}
diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c
new file mode 100644
index 0000000..639b25d
--- /dev/null
+++ b/tokens/ssh/libcryptsetup-token-ssh.c
@@ -0,0 +1,193 @@
+/*
+ * Example of LUKS2 ssh token handler (EXPERIMENTAL)
+ *
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
+ *
+ * Use:
+ *  - generate LUKS device
+ *  - store passphrase used in previous step remotely (single line w/o \r\n)
+ *  - add new token using this example
+ *  - activate device by token
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <json-c/json.h>
+#include "libcryptsetup.h"
+#include "ssh-utils.h"
+
+#define TOKEN_NAME "ssh"
+#define TOKEN_VERSION_MAJOR "1"
+#define TOKEN_VERSION_MINOR "0"
+
+#define SERVER_ARG	"plugin-ssh-server"
+#define USER_ARG	"plugin-ssh-user"
+#define PATH_ARG	"plugin-ssh-path"
+#define KEYPATH_ARG	"plugin-ssh-keypath"
+
+#define l_dbg(cd, x...) crypt_logf(cd, CRYPT_LOG_DEBUG, x)
+
+
+const char *cryptsetup_token_version(void);
+int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pin,
+	size_t pin_size, char **password, size_t *password_len, void *usrptr);
+int cryptsetup_token_open(struct crypt_device *cd, int token,
+	char **password, size_t *password_len, void *usrptr);
+void cryptsetup_token_dump(struct crypt_device *cd, const char *json);
+int cryptsetup_token_validate(struct crypt_device *cd, const char *json);
+
+
+const char *cryptsetup_token_version(void)
+{
+	return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR;
+}
+
+static json_object *get_token_jobj(struct crypt_device *cd, int token)
+{
+	const char *json_slot;
+
+	/* libcryptsetup API call */
+	if (crypt_token_json_get(cd, token, &json_slot))
+		return NULL;
+
+	return json_tokener_parse(json_slot);
+}
+
+int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pin,
+	size_t pin_size __attribute__((unused)), char **password, size_t *password_len,
+	void *usrptr __attribute__((unused)))
+{
+	int r;
+	json_object *jobj_server, *jobj_user, *jobj_path, *jobj_token, *jobj_keypath;
+	ssh_key pkey;
+	ssh_session ssh;
+
+	jobj_token = get_token_jobj(cd, token);
+	if (!jobj_token)
+		return -ENOMEM;
+
+	json_object_object_get_ex(jobj_token, "ssh_server", &jobj_server);
+	json_object_object_get_ex(jobj_token, "ssh_user",   &jobj_user);
+	json_object_object_get_ex(jobj_token, "ssh_path",   &jobj_path);
+	json_object_object_get_ex(jobj_token, "ssh_keypath",&jobj_keypath);
+
+	r = ssh_pki_import_privkey_file(json_object_get_string(jobj_keypath), pin, NULL, NULL, &pkey);
+	if (r != SSH_OK) {
+		json_object_put(jobj_token);
+		if (r == SSH_EOF) {
+			crypt_log(cd, CRYPT_LOG_ERROR, "Failed to open and import private key.\n");
+			return -EINVAL;
+		}
+		crypt_log(cd, CRYPT_LOG_ERROR, "Failed to import private key (password protected?).\n");
+		return -EAGAIN;
+	}
+
+	ssh = sshplugin_session_init(cd, json_object_get_string(jobj_server),
+				   json_object_get_string(jobj_user));
+	if (!ssh) {
+		json_object_put(jobj_token);
+		ssh_key_free(pkey);
+		return -EINVAL;
+	}
+
+	r = sshplugin_public_key_auth(cd, ssh, pkey);
+	ssh_key_free(pkey);
+
+	if (r == SSH_AUTH_SUCCESS)
+		r = sshplugin_download_password(cd, ssh, json_object_get_string(jobj_path),
+					      password, password_len);
+
+	ssh_disconnect(ssh);
+	ssh_free(ssh);
+	json_object_put(jobj_token);
+
+	return r ? -EINVAL : r;
+}
+
+int cryptsetup_token_open(struct crypt_device *cd, int token,
+	char **password, size_t *password_len, void *usrptr)
+{
+	return cryptsetup_token_open_pin(cd, token, NULL, 0, password, password_len, usrptr);
+}
+
+void cryptsetup_token_dump(struct crypt_device *cd, const char *json)
+{
+	json_object *jobj_token, *jobj_server, *jobj_user, *jobj_path, *jobj_keypath;
+	char buf[4096];
+
+	jobj_token = json_tokener_parse(json);
+	if (!jobj_token)
+		return;
+
+	json_object_object_get_ex(jobj_token, "ssh_server", &jobj_server);
+	json_object_object_get_ex(jobj_token, "ssh_user",   &jobj_user);
+	json_object_object_get_ex(jobj_token, "ssh_path",   &jobj_path);
+	json_object_object_get_ex(jobj_token, "ssh_keypath",&jobj_keypath);
+
+	if (snprintf(buf, sizeof(buf) - 1, "\tssh_server: %s\n\tssh_user: %s\n"
+	    "\tssh_path: %s\n\tssh_key_path: %s\n",
+	    json_object_get_string(jobj_server),
+	    json_object_get_string(jobj_user),
+	    json_object_get_string(jobj_path),
+	    json_object_get_string(jobj_keypath)) > 0)
+		crypt_log(cd, CRYPT_LOG_NORMAL, buf);
+
+	json_object_put(jobj_token);
+}
+
+int cryptsetup_token_validate(struct crypt_device *cd, const char *json)
+{
+	enum json_tokener_error jerr;
+	json_object *jobj_token, *jobj;
+	int r = -EINVAL;
+
+	jobj_token = json_tokener_parse_verbose(json, &jerr);
+	if (!jobj_token)
+		return -EINVAL;
+
+	if (!json_object_object_get_ex(jobj_token, "ssh_server", &jobj) ||
+	    !json_object_is_type(jobj, json_type_string)) {
+		l_dbg(cd, "ssh_server element is missing or not string.");
+		goto out;
+	}
+
+	if (!json_object_object_get_ex(jobj_token, "ssh_user", &jobj) ||
+	    !json_object_is_type(jobj, json_type_string)) {
+		l_dbg(cd, "ssh_user element is missing or not string.");
+		goto out;
+	}
+
+	if (!json_object_object_get_ex(jobj_token, "ssh_path", &jobj) ||
+	    !json_object_is_type(jobj, json_type_string)) {
+		l_dbg(cd, "ssh_path element is missing or not string.");
+		goto out;
+	}
+
+	if (!json_object_object_get_ex(jobj_token, "ssh_keypath", &jobj) ||
+	    !json_object_is_type(jobj, json_type_string)) {
+		l_dbg(cd, "ssh_keypath element is missing or not string.");
+		goto out;
+	}
+
+	r = 0;
+out:
+	json_object_put(jobj_token);
+	return r;
+}
diff --git a/tokens/ssh/ssh-utils.c b/tokens/ssh/ssh-utils.c
new file mode 100644
index 0000000..564d858
--- /dev/null
+++ b/tokens/ssh/ssh-utils.c
@@ -0,0 +1,177 @@
+/*
+ * ssh plugin utilities
+ *
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <libssh/libssh.h>
+#include <libssh/sftp.h>
+#include <fcntl.h>
+#include <libcryptsetup.h>
+#include "ssh-utils.h"
+#include "../lib/nls.h"
+
+#define KEYFILE_LENGTH_MAX 8192
+
+int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh,
+	const char *path, char **password, size_t *password_len)
+{
+	char *pass = NULL;
+	size_t pass_len;
+	int r;
+	sftp_attributes sftp_attr = NULL;
+	sftp_session sftp = NULL;
+	sftp_file file = NULL;
+
+	sftp = sftp_new(ssh);
+	if (!sftp) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot create sftp session: "));
+		r = SSH_FX_FAILURE;
+		goto out;
+	}
+
+	r = sftp_init(sftp);
+	if (r != SSH_OK) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot init sftp session: "));
+		goto out;
+	}
+
+	file = sftp_open(sftp, path, O_RDONLY, 0);
+	if (!file) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot open sftp session: "));
+		r = SSH_FX_FAILURE;
+		goto out;
+	}
+
+	sftp_attr = sftp_fstat(file);
+	if (!sftp_attr) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot stat sftp file: "));
+		r = SSH_FX_FAILURE;
+		goto out;
+	}
+
+	pass_len = sftp_attr->size > KEYFILE_LENGTH_MAX ? KEYFILE_LENGTH_MAX : sftp_attr->size;
+	pass = malloc(pass_len);
+	if (!pass) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Not enough memory.\n"));
+		r = SSH_FX_FAILURE;
+		goto out;
+	}
+
+	r = sftp_read(file, pass, pass_len);
+	if (r < 0 || (size_t)r != pass_len) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot read remote key: "));
+		r = SSH_FX_FAILURE;
+		goto out;
+	}
+
+	*password = pass;
+	*password_len = pass_len;
+
+	r = SSH_OK;
+out:
+	if (r != SSH_OK) {
+		crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh));
+		crypt_log(cd, CRYPT_LOG_ERROR, "\n");
+		free(pass);
+	}
+
+	if (sftp_attr)
+		sftp_attributes_free(sftp_attr);
+
+	if (file)
+		sftp_close(file);
+	if (sftp)
+		sftp_free(sftp);
+	return r == SSH_OK ? 0 : -EINVAL;
+}
+
+ssh_session sshplugin_session_init(struct crypt_device *cd, const char *host, const char *user)
+{
+	int r, port = 22;
+	ssh_session ssh = ssh_new();
+	if (!ssh)
+		return NULL;
+
+	ssh_options_set(ssh, SSH_OPTIONS_HOST, host);
+	ssh_options_set(ssh, SSH_OPTIONS_USER, user);
+	ssh_options_set(ssh, SSH_OPTIONS_PORT, &port);
+
+	crypt_log(cd, CRYPT_LOG_NORMAL, "SSH token initiating ssh session.\n");
+
+	r = ssh_connect(ssh);
+	if (r != SSH_OK) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Connection failed: "));
+		goto out;
+	}
+
+#if HAVE_DECL_SSH_SESSION_IS_KNOWN_SERVER
+	r = ssh_session_is_known_server(ssh);
+#else
+	r = ssh_is_server_known(ssh);
+#endif
+	if (r != SSH_SERVER_KNOWN_OK) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Server not known: "));
+		r = SSH_AUTH_ERROR;
+		goto out;
+	}
+
+	r = SSH_OK;
+
+	/* initialise list of authentication methods. yes, according to official libssh docs... */
+	ssh_userauth_none(ssh, NULL);
+out:
+	if (r != SSH_OK) {
+		crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh));
+		crypt_log(cd, CRYPT_LOG_ERROR, "\n");
+		ssh_disconnect(ssh);
+		ssh_free(ssh);
+		ssh = NULL;
+	}
+
+	return ssh;
+}
+
+int sshplugin_public_key_auth(struct crypt_device *cd, ssh_session ssh, const ssh_key pkey)
+{
+	int r;
+
+	crypt_log(cd, CRYPT_LOG_DEBUG, "Trying public key authentication method.\n");
+
+	if (!(ssh_userauth_list(ssh, NULL) & SSH_AUTH_METHOD_PUBLICKEY)) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Public key auth method not allowed on host.\n"));
+		return SSH_AUTH_ERROR;
+	}
+
+	r = ssh_userauth_try_publickey(ssh, NULL, pkey);
+	if (r == SSH_AUTH_SUCCESS) {
+		crypt_log(cd, CRYPT_LOG_DEBUG, "Public key method accepted.\n");
+		r = ssh_userauth_publickey(ssh, NULL, pkey);
+	}
+
+	if (r != SSH_AUTH_SUCCESS) {
+		crypt_log(cd, CRYPT_LOG_ERROR, _("Public key authentication error: "));
+		crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh));
+		crypt_log(cd, CRYPT_LOG_ERROR, "\n");
+	}
+
+	return r;
+}
diff --git a/tokens/ssh/ssh-utils.h b/tokens/ssh/ssh-utils.h
new file mode 100644
index 0000000..a491275
--- /dev/null
+++ b/tokens/ssh/ssh-utils.h
@@ -0,0 +1,29 @@
+/*
+ * ssh plugin utilities
+ *
+ * Copyright (C) 2016-2023 Milan Broz
+ * Copyright (C) 2020-2023 Vojtech Trefny
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <libssh/libssh.h>
+#include <libssh/sftp.h>
+#include <libcryptsetup.h>
+
+int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh,
+	const char *path, char **password, size_t *password_len);
+ssh_session sshplugin_session_init(struct crypt_device *cd, const char *host, const char *user);
+int sshplugin_public_key_auth(struct crypt_device *cd, ssh_session ssh, const ssh_key pkey);