diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:08:45 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
commit | 0caff05350bd5fc635674c9e051a0322faba5ae3 (patch) | |
tree | 971d44e6f922a89746ae7b1453dda4223f9b76f8 | |
parent | b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (diff) |
upstream: Request PIN ahead of time for certain FIDO actions
When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.
joint work with Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
-rw-r--r-- | ssh-keygen.1 | 4 | ||||
-rw-r--r-- | ssh-keygen.c | 38 |
2 files changed, 23 insertions, 19 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7e0558fe1..e18fcde01 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.207 2020/08/27 01:08:45 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -382,6 +382,8 @@ The default import format is | |||
382 | Download resident keys from a FIDO authenticator. | 382 | Download resident keys from a FIDO authenticator. |
383 | Public and private key files will be written to the current directory for | 383 | Public and private key files will be written to the current directory for |
384 | each downloaded key. | 384 | each downloaded key. |
385 | If multiple FIDO authenticators are attached, keys will be downloaded from | ||
386 | the first touched authenticator. | ||
385 | .It Fl k | 387 | .It Fl k |
386 | Generate a KRL file. | 388 | Generate a KRL file. |
387 | In this mode, | 389 | In this mode, |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 1d6234c1c..664724276 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.417 2020/08/27 01:07:51 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.418 2020/08/27 01:08:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2984,20 +2984,17 @@ do_download_sk(const char *skprovider, const char *device) | |||
2984 | if (skprovider == NULL) | 2984 | if (skprovider == NULL) |
2985 | fatal("Cannot download keys without provider"); | 2985 | fatal("Cannot download keys without provider"); |
2986 | 2986 | ||
2987 | for (i = 0; i < 2; i++) { | 2987 | pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); |
2988 | if (i == 1) { | 2988 | if (!quiet) { |
2989 | pin = read_passphrase("Enter PIN for authenticator: ", | 2989 | printf("You may need to touch your authenticator " |
2990 | RP_ALLOW_STDIN); | 2990 | "to authorize key download.\n"); |
2991 | } | 2991 | } |
2992 | if ((r = sshsk_load_resident(skprovider, device, pin, | 2992 | if ((r = sshsk_load_resident(skprovider, device, pin, |
2993 | &keys, &nkeys)) != 0) { | 2993 | &keys, &nkeys)) != 0) { |
2994 | if (i == 0 && r == SSH_ERR_KEY_WRONG_PASSPHRASE) | 2994 | if (pin != NULL) |
2995 | continue; | 2995 | freezero(pin, strlen(pin)); |
2996 | if (pin != NULL) | 2996 | error("Unable to load resident keys: %s", ssh_err(r)); |
2997 | freezero(pin, strlen(pin)); | 2997 | return -1; |
2998 | error("Unable to load resident keys: %s", ssh_err(r)); | ||
2999 | return -1; | ||
3000 | } | ||
3001 | } | 2998 | } |
3002 | if (nkeys == 0) | 2999 | if (nkeys == 0) |
3003 | logit("No keys to download"); | 3000 | logit("No keys to download"); |
@@ -3609,9 +3606,15 @@ main(int argc, char **argv) | |||
3609 | printf("You may need to touch your authenticator " | 3606 | printf("You may need to touch your authenticator " |
3610 | "to authorize key generation.\n"); | 3607 | "to authorize key generation.\n"); |
3611 | } | 3608 | } |
3612 | passphrase = NULL; | ||
3613 | if ((attest = sshbuf_new()) == NULL) | 3609 | if ((attest = sshbuf_new()) == NULL) |
3614 | fatal("sshbuf_new failed"); | 3610 | fatal("sshbuf_new failed"); |
3611 | if ((sk_flags & | ||
3612 | (SSH_SK_USER_VERIFICATION_REQD|SSH_SK_RESIDENT_KEY))) { | ||
3613 | passphrase = read_passphrase("Enter PIN for " | ||
3614 | "authenticator: ", RP_ALLOW_STDIN); | ||
3615 | } else { | ||
3616 | passphrase = NULL; | ||
3617 | } | ||
3615 | for (i = 0 ; ; i++) { | 3618 | for (i = 0 ; ; i++) { |
3616 | fflush(stdout); | 3619 | fflush(stdout); |
3617 | r = sshsk_enroll(type, sk_provider, sk_device, | 3620 | r = sshsk_enroll(type, sk_provider, sk_device, |
@@ -3622,9 +3625,8 @@ main(int argc, char **argv) | |||
3622 | break; | 3625 | break; |
3623 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) | 3626 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
3624 | fatal("Key enrollment failed: %s", ssh_err(r)); | 3627 | fatal("Key enrollment failed: %s", ssh_err(r)); |
3625 | else if (i > 0) | 3628 | else if (passphrase != NULL) { |
3626 | error("PIN incorrect"); | 3629 | error("PIN incorrect"); |
3627 | if (passphrase != NULL) { | ||
3628 | freezero(passphrase, strlen(passphrase)); | 3630 | freezero(passphrase, strlen(passphrase)); |
3629 | passphrase = NULL; | 3631 | passphrase = NULL; |
3630 | } | 3632 | } |