when acting as a CA and using a security key as the CA key, remind the

user to touch they key to authorise the signature.
author: djm <djm@openbsd.org> 2019-12-10 22:37:20 +0000
committer: djm <djm@openbsd.org> 2019-12-10 22:37:20 +0000
commit: f996efd1b2f66d3ac7be6c6d8554c071608b53ea (patch)
tree: 7233ac3a89eeb0c0dc24e972b599c358ba0a2460 /usr.bin/ssh/ssh-keygen.c
parent: chop some unnecessary and confusing verbiage from the security key (diff)
download: wireguard-openbsd-f996efd1b2f66d3ac7be6c6d8554c071608b53ea.tar.xz
wireguard-openbsd-f996efd1b2f66d3ac7be6c6d8554c071608b53ea.zip
1 files changed, 16 insertions, 4 deletions
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 28e7240c1cd..22f359ef736 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.373 2019/11/25 00:57:27 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1715,10 +1715,12 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 	int r, i, fd, found, agent_fd = -1;
 	u_int n;
 	struct sshkey *ca, *public;
-	char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
+	char valid[64], *otmp, *tmp, *cp, *out, *comment;
+	char *ca_fp = NULL, **plist = NULL;
 	FILE *f;
 	struct ssh_identitylist *agent_ids;
 	size_t j;
+	struct notifier_ctx *notifier = NULL;
 
 #ifdef ENABLE_PKCS11
 	pkcs11_init(1);
@@ -1764,6 +1766,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 		fatal("CA key type %s doesn't match specified %s",
 		    sshkey_ssh_name(ca), key_type_name);
 	}
+	ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT);
 
 	for (i = 0; i < argc; i++) {
 		/* Split list of principals */
@@ -1814,8 +1817,16 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 				fatal("Couldn't certify key %s via agent: %s",
 				    tmp, ssh_err(r));
 		} else {
-			if ((r = sshkey_certify(public, ca, key_type_name,
-			    sk_provider)) != 0)
+			if (sshkey_is_sk(ca) &&
+			    (ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+				notifier = notify_start(0,
+				    "Confirm user presence for key %s %s",
+				    sshkey_type(ca), ca_fp);
+			}
+			r = sshkey_certify(public, ca, key_type_name,
+			    sk_provider);
+			notify_complete(notifier);
+			if (r != 0)
 				fatal("Couldn't certify key %s: %s",
 				    tmp, ssh_err(r));
 		}
@@ -1853,6 +1864,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
 		if (cert_serial_autoinc)
 			cert_serial++;
 	}
+	free(ca_fp);
 #ifdef ENABLE_PKCS11
 	pkcs11_terminate();
 #endif
author	djm <djm@openbsd.org>	2019-12-10 22:37:20 +0000
committer	djm <djm@openbsd.org>	2019-12-10 22:37:20 +0000
commit	f996efd1b2f66d3ac7be6c6d8554c071608b53ea (patch)
tree	7233ac3a89eeb0c0dc24e972b599c358ba0a2460 /usr.bin/ssh/ssh-keygen.c
parent	chop some unnecessary and confusing verbiage from the security key (diff)
download	wireguard-openbsd-f996efd1b2f66d3ac7be6c6d8554c071608b53ea.tar.xz wireguard-openbsd-f996efd1b2f66d3ac7be6c6d8554c071608b53ea.zip