diff options
author | djm <djm@openbsd.org> | 2020-08-27 01:07:09 +0000 |
---|---|---|
committer | djm <djm@openbsd.org> | 2020-08-27 01:07:09 +0000 |
commit | 869858c29eb2d133b803b55813e6fa18354a0bb5 (patch) | |
tree | b9fbae89988746fdd8980f2782421980ed154113 /usr.bin/ssh/sshd_config.5 | |
parent | support for user-verified FIDO keys (diff) | |
download | wireguard-openbsd-869858c29eb2d133b803b55813e6fa18354a0bb5.tar.xz wireguard-openbsd-869858c29eb2d133b803b55813e6fa18354a0bb5.zip |
support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/sshd_config.5')
-rw-r--r-- | usr.bin/ssh/sshd_config.5 | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 970add8e240..2ba1c23e1b7 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.312 2020/05/29 05:37:03 djm Exp $ -.Dd $Mdocdate: May 29 2020 $ +.\" $OpenBSD: sshd_config.5,v 1.313 2020/08/27 01:07:10 djm Exp $ +.Dd $Mdocdate: August 27 2020 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1478,11 +1478,12 @@ The list of available key types may also be obtained using .Qq ssh -Q PubkeyAcceptedKeyTypes . .It Cm PubkeyAuthOptions Sets one or more public key authentication options. -Two option keywords are currently supported: +The supported keywords are: .Cm none -(the default; indicating no additional options are enabled) +(the default; indicating no additional options are enabled), +.Cm touch-required and -.Cm touch-required . +.Cm verify-required . .Pp The .Cm touch-required @@ -1499,7 +1500,17 @@ requires user presence unless overridden with an authorized_keys option. The .Cm touch-required flag disables this override. -This option has no effect for other, non-authenticator public key types. +.Pp +The +.Cm verify-required +option requires a FIDO key signature attest that verified the user, e.g. +via a PIN. +.Pp +Neither the +.Cm touch-required +or +.Cm verify-required +options have any effect for other, non-FIDO public key types. .It Cm PubkeyAuthentication Specifies whether public key authentication is allowed. The default is |