upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e

8 files changed, 78 insertions, 32 deletions

diff --git a/auth-options.c b/auth-options.c
index 90b0d7f25..2d200944c 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
  *
@@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
                     name, sshbuf_len(data));
                 found = 0;
                 if ((which & OPTIONS_EXTENSIONS) != 0) {
-                        if (strcmp(name, "permit-X11-forwarding") == 0) {
+                        if (strcmp(name, "no-touch-required") == 0) {
+                                opts->no_require_user_presence = 1;
+                                found = 1;
+                        } else if (strcmp(name, "permit-X11-forwarding") == 0) {
                                 opts->permit_x11_forwarding_flag = 1;
                                 found = 1;
                         } else if (strcmp(name,
@@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp)
                         ret->permit_agent_forwarding_flag = r == 1;
                 } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
                         ret->permit_x11_forwarding_flag = r == 1;
+                } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
+                        ret->no_require_user_presence = r != 1; /* NB. flip */
                 } else if ((r = opt_flag("pty", 1, &opts)) != -1) {
                         ret->permit_pty_flag = r == 1;
                 } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary,
                         goto alloc_fail;
         }
 
-        /* Flags are logical-AND (i.e. must be set in both for permission) */
-#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
-        OPTFLAG(permit_port_forwarding_flag);
-        OPTFLAG(permit_agent_forwarding_flag);
-        OPTFLAG(permit_x11_forwarding_flag);
-        OPTFLAG(permit_pty_flag);
-        OPTFLAG(permit_user_rc);
-#undef OPTFLAG
+#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
+        /* Permissive flags are logical-AND (i.e. must be set in both) */
+        OPTFLAG_AND(permit_port_forwarding_flag);
+        OPTFLAG_AND(permit_agent_forwarding_flag);
+        OPTFLAG_AND(permit_x11_forwarding_flag);
+        OPTFLAG_AND(permit_pty_flag);
+        OPTFLAG_AND(permit_user_rc);
+        OPTFLAG_AND(no_require_user_presence);
+#undef OPTFLAG_AND
 
         /* Earliest expiry time should win */
         if (primary->valid_before != 0)
@@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig)
         OPTSCALAR(cert_authority);
         OPTSCALAR(force_tun_device);
         OPTSCALAR(valid_before);
+        OPTSCALAR(no_require_user_presence);
 #undef OPTSCALAR
 #define OPTSTRING(x) \
         do { \
@@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
 {
         int r = SSH_ERR_INTERNAL_ERROR;
 
-        /* Flag and simple integer options */
+        /* Flag options */
         if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
             (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
             (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
@@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
             (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
             (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
             (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
-            (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+            (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0)
+                return r;
+
+        /* Simple integer options */
+        if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0)
                 return r;
 
         /* tunnel number can be negative to indicate "unset" */
@@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
         if ((opts = calloc(1, sizeof(*opts))) == NULL)
                 return SSH_ERR_ALLOC_FAIL;
 
+        /* Flag options */
 #define OPT_FLAG(x) \
         do { \
                 if ((r = sshbuf_get_u8(m, &f)) != 0) \
@@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
         OPT_FLAG(permit_user_rc);
         OPT_FLAG(restricted);
         OPT_FLAG(cert_authority);
+        OPT_FLAG(no_require_user_presence);
 #undef OPT_FLAG
 
+        /* Simple integer options */
         if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
                 goto out;
 
diff --git a/auth-options.h b/auth-options.h
index 14cbfa49d..d96ffedee 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.h,v 1.28 2019/07/09 04:15:00 djm Exp $ */
+/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */
 
 /*
  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
@@ -68,6 +68,9 @@ struct sshauthopt {
          */
         char *required_from_host_cert;
         char *required_from_host_keys;
+
+        /* Key requires user presence asserted */
+        int no_require_user_presence;
 };
 
 struct sshauthopt *sshauthopt_new(void);
diff --git a/auth.c b/auth.c
index b092f212c..0a46e1d8a 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.142 2019/10/16 06:05:39 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.143 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -1005,7 +1005,7 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
 
         snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
         /* Try to keep this alphabetically sorted */
-        snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s",
+        snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
             opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
             opts->force_command == NULL ? "" : " command",
             do_env ?  " environment" : "",
@@ -1018,7 +1018,8 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
             opts->force_tun_device == -1 ? "" : " tun=",
             opts->force_tun_device == -1 ? "" : buf,
             opts->permit_user_rc ? " user-rc" : "",
-            opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
+            opts->permit_x11_forwarding_flag ? " x11-forwarding" : "",
+            opts->no_require_user_presence ? " no-touch-required" : "");
 
         debug("%s: %s", loc, msg);
         if (do_remote)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0ef982a48..b656b1f8c 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.97 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -225,7 +225,8 @@ userauth_pubkey(struct ssh *ssh)
                             __func__, sig_details->sk_counter,
                             sig_details->sk_flags);
                         req_presence = (options.pubkey_auth_options &
-                            PUBKEYAUTH_TOUCH_REQUIRED);
+                            PUBKEYAUTH_TOUCH_REQUIRED) ||
+                            !authopts->no_require_user_presence;
                         if (req_presence && (sig_details->sk_flags &
                             SSH_SK_USER_PRESENCE_REQD) == 0) {
                                 error("public key %s signature for %s%s from "
diff --git a/monitor.c b/monitor.c
index 9b171c447..d4be7409e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.203 2019/11/25 00:52:46 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.204 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1440,7 +1440,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 
         if (ret == 0 && key_blobtype == MM_USERKEY && sig_details != NULL) {
                 req_presence = (options.pubkey_auth_options &
-                    PUBKEYAUTH_TOUCH_REQUIRED);
+                    PUBKEYAUTH_TOUCH_REQUIRED) ||
+                    !key_opts->no_require_user_presence;
                 if (req_presence &&
                     (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) {
                         error("public key %s %s signature for %s%s from %.128s "
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index feaa69efe..06aead348 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 18 2019 $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -534,6 +534,14 @@ by
 .It Ic permit-X11-forwarding
 Allows X11 forwarding.
 .Pp
+.It Ic no-touch-required
+Do not require signatures made using this key require demonstration
+of user presence (e.g. by having the user touch the key).
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+.Pp
 .It Ic source-address Ns = Ns Ar address_list
 Restrict the source addresses from which the certificate is considered valid.
 The
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 08dd7cb8a..16d196fc8 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.370 2019/11/25 00:51:37 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -120,11 +120,12 @@ static u_int64_t cert_valid_from = 0;
 static u_int64_t cert_valid_to = ~0ULL;
 
 /* Certificate options */
-#define CERTOPT_X_FWD   (1)
-#define CERTOPT_AGENT_FWD       (1<<1)
-#define CERTOPT_PORT_FWD        (1<<2)
-#define CERTOPT_PTY             (1<<3)
-#define CERTOPT_USER_RC (1<<4)
+#define CERTOPT_X_FWD                           (1)
+#define CERTOPT_AGENT_FWD                       (1<<1)
+#define CERTOPT_PORT_FWD                        (1<<2)
+#define CERTOPT_PTY                             (1<<3)
+#define CERTOPT_USER_RC                         (1<<4)
+#define CERTOPT_NO_REQUIRE_USER_PRESENCE        (1<<5)
 #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \
                          CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC)
 static u_int32_t certflags_flags = CERTOPT_DEFAULT;
@@ -1666,6 +1667,9 @@ prepare_options_buf(struct sshbuf *c, int which)
             (certflags_flags & CERTOPT_USER_RC) != 0)
                 add_flag_option(c, "permit-user-rc");
         if ((which & OPTIONS_CRITICAL) != 0 &&
+            (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0)
+                add_flag_option(c, "no-touch-required");
+        if ((which & OPTIONS_CRITICAL) != 0 &&
             certflags_src_addr != NULL)
                 add_string_option(c, "source-address", certflags_src_addr);
         for (i = 0; i < ncert_userext; i++) {
@@ -1967,6 +1971,10 @@ add_cert_option(char *opt)
                 certflags_flags &= ~CERTOPT_USER_RC;
         else if (strcasecmp(opt, "permit-user-rc") == 0)
                 certflags_flags |= CERTOPT_USER_RC;
+        else if (strcasecmp(opt, "touch-required") == 0)
+                certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE;
+        else if (strcasecmp(opt, "no-touch-required") == 0)
+                certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE;
         else if (strncasecmp(opt, "force-command=", 14) == 0) {
                 val = opt + 14;
                 if (*val == '\0')
@@ -2020,9 +2028,10 @@ show_options(struct sshbuf *optbuf, int in_critical)
                     strcmp(name, "permit-agent-forwarding") == 0 ||
                     strcmp(name, "permit-port-forwarding") == 0 ||
                     strcmp(name, "permit-pty") == 0 ||
-                    strcmp(name, "permit-user-rc") == 0))
+                    strcmp(name, "permit-user-rc") == 0 ||
+                    strcmp(name, "no-touch-required") == 0)) {
                         printf("\n");
-                else if (in_critical &&
+                } else if (in_critical &&
                     (strcmp(name, "force-command") == 0 ||
                     strcmp(name, "source-address") == 0)) {
                         if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
diff --git a/sshd.8 b/sshd.8
index 042610a03..b32da282f 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $
-.Dd $Mdocdate: November 18 2019 $
+.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -627,6 +627,13 @@ option.
 Permits tty allocation previously disabled by the
 .Cm restrict
 option.
+.It Cm no-touch-required
+Do not require demonstration of user presence
+for signatures made using this key.
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
 .It Cm restrict
 Enable all restrictions, i.e. disable port, agent and X11 forwarding,
 as well as disabling PTY allocation
@@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
 user@example.net
 restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
 user@example.net
+no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The