diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 03:28:41 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-30 14:32:20 +1100 |
commit | 1e645fe767f27725dc7fd7864526de34683f7daf (patch) | |
tree | 61d4230dba514a5a560522c97e424cee60b33156 | |
parent | 20ccd854245c598e2b47cc9f8d4955d645195055 (diff) |
upstream: prepare for use of ssh-keygen -O flag beyond certs
Move list of available certificate options in ssh-keygen.1 to the
CERTIFICATES section.
Collect options specified by -O but delay parsing/validation of
certificate options until we're sure that we're acting as a CA.
ok markus@
OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
-rw-r--r-- | ssh-keygen.1 | 188 | ||||
-rw-r--r-- | ssh-keygen.c | 11 |
2 files changed, 101 insertions, 98 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 038e2c578..67a57b9f7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: December 27 2019 $ | 38 | .Dd $Mdocdate: December 30 2019 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -458,97 +458,10 @@ Please see the | |||
458 | section for details. | 458 | section for details. |
459 | .It Fl O Ar option | 459 | .It Fl O Ar option |
460 | Specify a certificate option when signing a key. | 460 | Specify a certificate option when signing a key. |
461 | This option may be specified multiple times. | 461 | See the |
462 | See also the | ||
463 | .Sx CERTIFICATES | 462 | .Sx CERTIFICATES |
464 | section for further details. | 463 | section for a list of available certificate options. |
465 | .Pp | 464 | This option may be specified multiple times. |
466 | At present, no standard options are valid for host keys. | ||
467 | The options that are valid for user certificates are: | ||
468 | .Pp | ||
469 | .Bl -tag -width Ds -compact | ||
470 | .It Ic clear | ||
471 | Clear all enabled permissions. | ||
472 | This is useful for clearing the default set of permissions so permissions may | ||
473 | be added individually. | ||
474 | .Pp | ||
475 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
476 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
477 | Includes an arbitrary certificate critical option or extension. | ||
478 | The specified | ||
479 | .Ar name | ||
480 | should include a domain suffix, e.g.\& | ||
481 | .Dq name@example.com . | ||
482 | If | ||
483 | .Ar contents | ||
484 | is specified then it is included as the contents of the extension/option | ||
485 | encoded as a string, otherwise the extension/option is created with no | ||
486 | contents (usually indicating a flag). | ||
487 | Extensions may be ignored by a client or server that does not recognise them, | ||
488 | whereas unknown critical options will cause the certificate to be refused. | ||
489 | .Pp | ||
490 | .It Ic force-command Ns = Ns Ar command | ||
491 | Forces the execution of | ||
492 | .Ar command | ||
493 | instead of any shell or command specified by the user when | ||
494 | the certificate is used for authentication. | ||
495 | .Pp | ||
496 | .It Ic no-agent-forwarding | ||
497 | Disable | ||
498 | .Xr ssh-agent 1 | ||
499 | forwarding (permitted by default). | ||
500 | .Pp | ||
501 | .It Ic no-port-forwarding | ||
502 | Disable port forwarding (permitted by default). | ||
503 | .Pp | ||
504 | .It Ic no-pty | ||
505 | Disable PTY allocation (permitted by default). | ||
506 | .Pp | ||
507 | .It Ic no-user-rc | ||
508 | Disable execution of | ||
509 | .Pa ~/.ssh/rc | ||
510 | by | ||
511 | .Xr sshd 8 | ||
512 | (permitted by default). | ||
513 | .Pp | ||
514 | .It Ic no-x11-forwarding | ||
515 | Disable X11 forwarding (permitted by default). | ||
516 | .Pp | ||
517 | .It Ic permit-agent-forwarding | ||
518 | Allows | ||
519 | .Xr ssh-agent 1 | ||
520 | forwarding. | ||
521 | .Pp | ||
522 | .It Ic permit-port-forwarding | ||
523 | Allows port forwarding. | ||
524 | .Pp | ||
525 | .It Ic permit-pty | ||
526 | Allows PTY allocation. | ||
527 | .Pp | ||
528 | .It Ic permit-user-rc | ||
529 | Allows execution of | ||
530 | .Pa ~/.ssh/rc | ||
531 | by | ||
532 | .Xr sshd 8 . | ||
533 | .Pp | ||
534 | .It Ic permit-X11-forwarding | ||
535 | Allows X11 forwarding. | ||
536 | .Pp | ||
537 | .It Ic no-touch-required | ||
538 | Do not require signatures made using this key require demonstration | ||
539 | of user presence (e.g. by having the user touch the key). | ||
540 | This option only makes sense for the FIDO authenticator algorithms | ||
541 | .Cm ecdsa-sk | ||
542 | and | ||
543 | .Cm ed25519-sk . | ||
544 | .Pp | ||
545 | .It Ic source-address Ns = Ns Ar address_list | ||
546 | Restrict the source addresses from which the certificate is considered valid. | ||
547 | The | ||
548 | .Ar address_list | ||
549 | is a comma-separated list of one or more address/netmask pairs in CIDR | ||
550 | format. | ||
551 | .El | ||
552 | .It Fl P Ar passphrase | 465 | .It Fl P Ar passphrase |
553 | Provides the (old) passphrase. | 466 | Provides the (old) passphrase. |
554 | .It Fl p | 467 | .It Fl p |
@@ -899,9 +812,94 @@ be specified through certificate options. | |||
899 | A certificate option may disable features of the SSH session, may be | 812 | A certificate option may disable features of the SSH session, may be |
900 | valid only when presented from particular source addresses or may | 813 | valid only when presented from particular source addresses or may |
901 | force the use of a specific command. | 814 | force the use of a specific command. |
902 | For a list of valid certificate options, see the documentation for the | 815 | .Pp |
903 | .Fl O | 816 | The options that are valid for user certificates are: |
904 | option above. | 817 | .Pp |
818 | .Bl -tag -width Ds -compact | ||
819 | .It Ic clear | ||
820 | Clear all enabled permissions. | ||
821 | This is useful for clearing the default set of permissions so permissions may | ||
822 | be added individually. | ||
823 | .Pp | ||
824 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
825 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
826 | Includes an arbitrary certificate critical option or extension. | ||
827 | The specified | ||
828 | .Ar name | ||
829 | should include a domain suffix, e.g.\& | ||
830 | .Dq name@example.com . | ||
831 | If | ||
832 | .Ar contents | ||
833 | is specified then it is included as the contents of the extension/option | ||
834 | encoded as a string, otherwise the extension/option is created with no | ||
835 | contents (usually indicating a flag). | ||
836 | Extensions may be ignored by a client or server that does not recognise them, | ||
837 | whereas unknown critical options will cause the certificate to be refused. | ||
838 | .Pp | ||
839 | .It Ic force-command Ns = Ns Ar command | ||
840 | Forces the execution of | ||
841 | .Ar command | ||
842 | instead of any shell or command specified by the user when | ||
843 | the certificate is used for authentication. | ||
844 | .Pp | ||
845 | .It Ic no-agent-forwarding | ||
846 | Disable | ||
847 | .Xr ssh-agent 1 | ||
848 | forwarding (permitted by default). | ||
849 | .Pp | ||
850 | .It Ic no-port-forwarding | ||
851 | Disable port forwarding (permitted by default). | ||
852 | .Pp | ||
853 | .It Ic no-pty | ||
854 | Disable PTY allocation (permitted by default). | ||
855 | .Pp | ||
856 | .It Ic no-user-rc | ||
857 | Disable execution of | ||
858 | .Pa ~/.ssh/rc | ||
859 | by | ||
860 | .Xr sshd 8 | ||
861 | (permitted by default). | ||
862 | .Pp | ||
863 | .It Ic no-x11-forwarding | ||
864 | Disable X11 forwarding (permitted by default). | ||
865 | .Pp | ||
866 | .It Ic permit-agent-forwarding | ||
867 | Allows | ||
868 | .Xr ssh-agent 1 | ||
869 | forwarding. | ||
870 | .Pp | ||
871 | .It Ic permit-port-forwarding | ||
872 | Allows port forwarding. | ||
873 | .Pp | ||
874 | .It Ic permit-pty | ||
875 | Allows PTY allocation. | ||
876 | .Pp | ||
877 | .It Ic permit-user-rc | ||
878 | Allows execution of | ||
879 | .Pa ~/.ssh/rc | ||
880 | by | ||
881 | .Xr sshd 8 . | ||
882 | .Pp | ||
883 | .It Ic permit-X11-forwarding | ||
884 | Allows X11 forwarding. | ||
885 | .Pp | ||
886 | .It Ic no-touch-required | ||
887 | Do not require signatures made using this key require demonstration | ||
888 | of user presence (e.g. by having the user touch the key). | ||
889 | This option only makes sense for the Security Key algorithms | ||
890 | .Cm ecdsa-sk | ||
891 | and | ||
892 | .Cm ed25519-sk . | ||
893 | .Pp | ||
894 | .It Ic source-address Ns = Ns Ar address_list | ||
895 | Restrict the source addresses from which the certificate is considered valid. | ||
896 | The | ||
897 | .Ar address_list | ||
898 | is a comma-separated list of one or more address/netmask pairs in CIDR | ||
899 | format. | ||
900 | .El | ||
901 | .Pp | ||
902 | At present, no standard options are valid for host keys. | ||
905 | .Pp | 903 | .Pp |
906 | Finally, certificates may be defined with a validity lifetime. | 904 | Finally, certificates may be defined with a validity lifetime. |
907 | The | 905 | The |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 24e246c0b..43f2e1e82 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.375 2019/12/30 03:28:41 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2820,7 +2820,8 @@ main(int argc, char **argv) | |||
2820 | int prefer_agent = 0, convert_to = 0, convert_from = 0; | 2820 | int prefer_agent = 0, convert_to = 0, convert_from = 0; |
2821 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; | 2821 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; |
2822 | unsigned long long ull, cert_serial = 0; | 2822 | unsigned long long ull, cert_serial = 0; |
2823 | char *identity_comment = NULL, *ca_key_path = NULL; | 2823 | char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
2824 | size_t i, nopts = 0; | ||
2824 | u_int32_t bits = 0; | 2825 | u_int32_t bits = 0; |
2825 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; | 2826 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
2826 | FILE *f; | 2827 | FILE *f; |
@@ -2950,7 +2951,9 @@ main(int argc, char **argv) | |||
2950 | check_krl = 1; | 2951 | check_krl = 1; |
2951 | break; | 2952 | break; |
2952 | case 'O': | 2953 | case 'O': |
2953 | add_cert_option(optarg); | 2954 | opts = xrecallocarray(opts, nopts, nopts + 1, |
2955 | sizeof(*opts)); | ||
2956 | opts[nopts++] = xstrdup(optarg); | ||
2954 | break; | 2957 | break; |
2955 | case 'Z': | 2958 | case 'Z': |
2956 | openssh_format_cipher = optarg; | 2959 | openssh_format_cipher = optarg; |
@@ -3184,6 +3187,8 @@ main(int argc, char **argv) | |||
3184 | if (ca_key_path != NULL) { | 3187 | if (ca_key_path != NULL) { |
3185 | if (cert_key_id == NULL) | 3188 | if (cert_key_id == NULL) |
3186 | fatal("Must specify key id (-I) when certifying"); | 3189 | fatal("Must specify key id (-I) when certifying"); |
3190 | for (i = 0; i < nopts; i++) | ||
3191 | add_cert_option(opts[i]); | ||
3187 | do_ca_sign(pw, ca_key_path, prefer_agent, | 3192 | do_ca_sign(pw, ca_key_path, prefer_agent, |
3188 | cert_serial, cert_serial_autoinc, argc, argv); | 3193 | cert_serial, cert_serial_autoinc, argc, argv); |
3189 | } | 3194 | } |