diff options
| author |   djm <djm@openbsd.org> | 2020-08-27 01:06:18 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2020-08-27 01:06:18 +0000 |
| commit | 1f63d3c42be16452c97f44894c80b18dc54f3611 (patch) | |
| tree | 387ab4ad5c3dd6225a7cdf9b2934148a670872ad /usr.bin/ssh/sshconnect2.c | |
| parent | Improve detection of the proper boot device by picking the disk that (diff) | |
| download | wireguard-openbsd-1f63d3c42be16452c97f44894c80b18dc54f3611.tar.xz wireguard-openbsd-1f63d3c42be16452c97f44894c80b18dc54f3611.zip | |
support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
Diffstat (limited to 'usr.bin/ssh/sshconnect2.c')
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 3a263ded2a4..de5b862713b 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.324 2020/06/27 13:39:09 bket Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.325 2020/08/27 01:06:18 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1168,7 +1168,7 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, struct sshkey *sign_key = NULL, *prv = NULL; int r = SSH_ERR_INTERNAL_ERROR; struct notifier_ctx *notifier = NULL; - char *fp = NULL; + char *fp = NULL, *pin = NULL, *prompt = NULL; *sigp = NULL; *lenp = 0; @@ -1197,20 +1197,28 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, goto out; } sign_key = prv; - if (sshkey_is_sk(sign_key) && - (sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { - /* XXX match batch mode should just skip these keys? */ - if ((fp = sshkey_fingerprint(sign_key, - options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint", __func__); - notifier = notify_start(options.batch_mode, - "Confirm user presence for key %s %s", - sshkey_type(sign_key), fp); - free(fp); + if (sshkey_is_sk(sign_key)) { + if ((sign_key->sk_flags & + SSH_SK_USER_VERIFICATION_REQD)) { + xasprintf(&prompt, "Enter PIN for %s key %s: ", + sshkey_type(sign_key), id->filename); + pin = read_passphrase(prompt, 0); + } + if ((sign_key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { + /* XXX should batch mode just skip these? */ + if ((fp = sshkey_fingerprint(sign_key, + options.fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint", __func__); + notifier = notify_start(options.batch_mode, + "Confirm user presence for key %s %s", + sshkey_type(sign_key), fp); + free(fp); + } } } if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen, - alg, options.sk_provider, compat)) != 0) { + alg, options.sk_provider, pin, compat)) != 0) { debug("%s: sshkey_sign: %s", __func__, ssh_err(r)); goto out; } @@ -1225,6 +1233,9 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp, /* success */ r = 0; out: + free(prompt); + if (pin != NULL) + freezero(pin, strlen(pin)); notify_complete(notifier); sshkey_free(prv); return r; |