add a "no-touch-required" option for authorized_keys and a similar

extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

1 files changed, 4 insertions, 3 deletions

diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index e2c2cc77534..c696b8759d1 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.142 2019/10/16 06:05:39 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.143 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -884,7 +884,7 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
 
 	snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
 	/* Try to keep this alphabetically sorted */
-	snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s",
+	snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
 	    opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
 	    opts->force_command == NULL ? "" : " command",
 	    do_env ?  " environment" : "",
@@ -897,7 +897,8 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
 	    opts->force_tun_device == -1 ? "" : " tun=",
 	    opts->force_tun_device == -1 ? "" : buf,
 	    opts->permit_user_rc ? " user-rc" : "",
-	    opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
+	    opts->permit_x11_forwarding_flag ? " x11-forwarding" : "",
+	    opts->no_require_user_presence ? " no-touch-required" : "");
 
 	debug("%s: %s", loc, msg);
 	if (do_remote)