diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:08:45 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | 0caff05350bd5fc635674c9e051a0322faba5ae3 (patch) | |
| tree | 971d44e6f922a89746ae7b1453dda4223f9b76f8 | |
| parent | b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (diff) | |
upstream: Request PIN ahead of time for certain FIDO actions
When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.
joint work with Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
| -rw-r--r-- | ssh-keygen.1 | 4 | ||||
| -rw-r--r-- | ssh-keygen.c | 38 |
2 files changed, 23 insertions, 19 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7e0558fe1..e18fcde01 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.207 2020/08/27 01:08:45 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -382,6 +382,8 @@ The default import format is | |||
| 382 | Download resident keys from a FIDO authenticator. | 382 | Download resident keys from a FIDO authenticator. |
| 383 | Public and private key files will be written to the current directory for | 383 | Public and private key files will be written to the current directory for |
| 384 | each downloaded key. | 384 | each downloaded key. |
| 385 | If multiple FIDO authenticators are attached, keys will be downloaded from | ||
| 386 | the first touched authenticator. | ||
| 385 | .It Fl k | 387 | .It Fl k |
| 386 | Generate a KRL file. | 388 | Generate a KRL file. |
| 387 | In this mode, | 389 | In this mode, |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 1d6234c1c..664724276 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.417 2020/08/27 01:07:51 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.418 2020/08/27 01:08:45 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2984,20 +2984,17 @@ do_download_sk(const char *skprovider, const char *device) | |||
| 2984 | if (skprovider == NULL) | 2984 | if (skprovider == NULL) |
| 2985 | fatal("Cannot download keys without provider"); | 2985 | fatal("Cannot download keys without provider"); |
| 2986 | 2986 | ||
| 2987 | for (i = 0; i < 2; i++) { | 2987 | pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); |
| 2988 | if (i == 1) { | 2988 | if (!quiet) { |
| 2989 | pin = read_passphrase("Enter PIN for authenticator: ", | 2989 | printf("You may need to touch your authenticator " |
| 2990 | RP_ALLOW_STDIN); | 2990 | "to authorize key download.\n"); |
| 2991 | } | 2991 | } |
| 2992 | if ((r = sshsk_load_resident(skprovider, device, pin, | 2992 | if ((r = sshsk_load_resident(skprovider, device, pin, |
| 2993 | &keys, &nkeys)) != 0) { | 2993 | &keys, &nkeys)) != 0) { |
| 2994 | if (i == 0 && r == SSH_ERR_KEY_WRONG_PASSPHRASE) | 2994 | if (pin != NULL) |
| 2995 | continue; | 2995 | freezero(pin, strlen(pin)); |
| 2996 | if (pin != NULL) | 2996 | error("Unable to load resident keys: %s", ssh_err(r)); |
| 2997 | freezero(pin, strlen(pin)); | 2997 | return -1; |
| 2998 | error("Unable to load resident keys: %s", ssh_err(r)); | ||
| 2999 | return -1; | ||
| 3000 | } | ||
| 3001 | } | 2998 | } |
| 3002 | if (nkeys == 0) | 2999 | if (nkeys == 0) |
| 3003 | logit("No keys to download"); | 3000 | logit("No keys to download"); |
| @@ -3609,9 +3606,15 @@ main(int argc, char **argv) | |||
| 3609 | printf("You may need to touch your authenticator " | 3606 | printf("You may need to touch your authenticator " |
| 3610 | "to authorize key generation.\n"); | 3607 | "to authorize key generation.\n"); |
| 3611 | } | 3608 | } |
| 3612 | passphrase = NULL; | ||
| 3613 | if ((attest = sshbuf_new()) == NULL) | 3609 | if ((attest = sshbuf_new()) == NULL) |
| 3614 | fatal("sshbuf_new failed"); | 3610 | fatal("sshbuf_new failed"); |
| 3611 | if ((sk_flags & | ||
| 3612 | (SSH_SK_USER_VERIFICATION_REQD|SSH_SK_RESIDENT_KEY))) { | ||
| 3613 | passphrase = read_passphrase("Enter PIN for " | ||
| 3614 | "authenticator: ", RP_ALLOW_STDIN); | ||
| 3615 | } else { | ||
| 3616 | passphrase = NULL; | ||
| 3617 | } | ||
| 3615 | for (i = 0 ; ; i++) { | 3618 | for (i = 0 ; ; i++) { |
| 3616 | fflush(stdout); | 3619 | fflush(stdout); |
| 3617 | r = sshsk_enroll(type, sk_provider, sk_device, | 3620 | r = sshsk_enroll(type, sk_provider, sk_device, |
| @@ -3622,9 +3625,8 @@ main(int argc, char **argv) | |||
| 3622 | break; | 3625 | break; |
| 3623 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) | 3626 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
| 3624 | fatal("Key enrollment failed: %s", ssh_err(r)); | 3627 | fatal("Key enrollment failed: %s", ssh_err(r)); |
| 3625 | else if (i > 0) | 3628 | else if (passphrase != NULL) { |
| 3626 | error("PIN incorrect"); | 3629 | error("PIN incorrect"); |
| 3627 | if (passphrase != NULL) { | ||
| 3628 | freezero(passphrase, strlen(passphrase)); | 3630 | freezero(passphrase, strlen(passphrase)); |
| 3629 | passphrase = NULL; | 3631 | passphrase = NULL; |
| 3630 | } | 3632 | } |