diff options
| author |   djm <djm@openbsd.org> | 2020-08-27 01:07:09 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2020-08-27 01:07:09 +0000 |
| commit | 869858c29eb2d133b803b55813e6fa18354a0bb5 (patch) | |
| tree | b9fbae89988746fdd8980f2782421980ed154113 /usr.bin/ssh/auth.c | |
| parent | support for user-verified FIDO keys (diff) | |
| download | wireguard-openbsd-869858c29eb2d133b803b55813e6fa18354a0bb5.tar.xz wireguard-openbsd-869858c29eb2d133b803b55813e6fa18354a0bb5.zip | |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/auth.c')
| -rw-r--r-- | usr.bin/ssh/auth.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 3e567498c0f..8be8b4f3d65 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.146 2020/01/31 22:42:45 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.147 2020/08/27 01:07:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -885,21 +885,22 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", opts->valid_before == 0 ? "" : "expires", + opts->no_require_user_presence ? " no-touch-required" : "", do_permitopen ? " permitopen" : "", do_permitlisten ? " permitlisten" : "", opts->permit_port_forwarding_flag ? " port-forwarding" : "", opts->cert_principals == NULL ? "" : " principals", opts->permit_pty_flag ? " pty" : "", + opts->require_verify ? " uv" : "", opts->force_tun_device == -1 ? "" : " tun=", opts->force_tun_device == -1 ? "" : buf, opts->permit_user_rc ? " user-rc" : "", - opts->permit_x11_forwarding_flag ? " x11-forwarding" : "", - opts->no_require_user_presence ? " no-touch-required" : ""); + opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); debug("%s: %s", loc, msg); if (do_remote) |