diff options
| author |   djm <djm@openbsd.org> | 2019-11-25 00:54:23 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2019-11-25 00:54:23 +0000 |
| commit | 6e27da753e65fa3a7c4c987b29c4bf02d1801c48 (patch) | |
| tree | 545cf55155d3bd7e24541a14225126da86cc5585 /usr.bin/ssh/ssh-keygen.c | |
| parent | Add a sshd_config PubkeyAuthOptions directive (diff) | |
| download | wireguard-openbsd-6e27da753e65fa3a7c4c987b29c4bf02d1801c48.tar.xz wireguard-openbsd-6e27da753e65fa3a7c4c987b29c4bf02d1801c48.zip | |
add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.
feedback deraadt, ok markus
Diffstat (limited to 'usr.bin/ssh/ssh-keygen.c')
| -rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index fde77f6ab93..7d374362a22 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.370 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -114,11 +114,12 @@ static u_int64_t cert_valid_from = 0; static u_int64_t cert_valid_to = ~0ULL; /* Certificate options */ -#define CERTOPT_X_FWD (1) -#define CERTOPT_AGENT_FWD (1<<1) -#define CERTOPT_PORT_FWD (1<<2) -#define CERTOPT_PTY (1<<3) -#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_X_FWD (1) +#define CERTOPT_AGENT_FWD (1<<1) +#define CERTOPT_PORT_FWD (1<<2) +#define CERTOPT_PTY (1<<3) +#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_NO_REQUIRE_USER_PRESENCE (1<<5) #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) static u_int32_t certflags_flags = CERTOPT_DEFAULT; @@ -1646,6 +1647,9 @@ prepare_options_buf(struct sshbuf *c, int which) (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); if ((which & OPTIONS_CRITICAL) != 0 && + (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) + add_flag_option(c, "no-touch-required"); + if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); for (i = 0; i < ncert_userext; i++) { @@ -1947,6 +1951,10 @@ add_cert_option(char *opt) certflags_flags &= ~CERTOPT_USER_RC; else if (strcasecmp(opt, "permit-user-rc") == 0) certflags_flags |= CERTOPT_USER_RC; + else if (strcasecmp(opt, "touch-required") == 0) + certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE; + else if (strcasecmp(opt, "no-touch-required") == 0) + certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE; else if (strncasecmp(opt, "force-command=", 14) == 0) { val = opt + 14; if (*val == '\0') @@ -2000,9 +2008,10 @@ show_options(struct sshbuf *optbuf, int in_critical) strcmp(name, "permit-agent-forwarding") == 0 || strcmp(name, "permit-port-forwarding") == 0 || strcmp(name, "permit-pty") == 0 || - strcmp(name, "permit-user-rc") == 0)) + strcmp(name, "permit-user-rc") == 0 || + strcmp(name, "no-touch-required") == 0)) { printf("\n"); - else if (in_critical && + } else if (in_critical && (strcmp(name, "force-command") == 0 || strcmp(name, "source-address") == 0)) { if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) |