diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-03 09:49:52 +1100 |
| commit | cb6b68b209d8868a94a30b1a634beb1a65cb5265 (patch) | |
| tree | 049f0251f5ee3f2cb2fb236ba4ee5eb37b356351 | |
| parent | cf6ef137b516a9f739b6e899ec5ef7306835530b (diff) | |
- djm@cvs.openbsd.org 2012/12/02 20:26:11
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | ssh_config.5 | 6 | ||||
| -rw-r--r-- | sshconnect2.c | 29 |
3 files changed, 36 insertions, 5 deletions
| @@ -1,6 +1,12 @@ | |||
| 1 | 20121203 | 1 | 20121203 |
| 2 | - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get | 2 | - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get |
| 3 | TAILQ_FOREACH_SAFE needed for upcoming changes. | 3 | TAILQ_FOREACH_SAFE needed for upcoming changes. |
| 4 | - (djm) OpenBSD CVS Sync | ||
| 5 | - djm@cvs.openbsd.org 2012/12/02 20:26:11 | ||
| 6 | [ssh_config.5 sshconnect2.c] | ||
| 7 | Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. | ||
| 8 | This allows control of which keys are offered from tokens using | ||
| 9 | IdentityFile. ok markus@ | ||
| 4 | 10 | ||
| 5 | 20121114 | 11 | 20121114 |
| 6 | - (djm) OpenBSD CVS Sync | 12 | - (djm) OpenBSD CVS Sync |
diff --git a/ssh_config.5 b/ssh_config.5 index d3e801df0..09a3cf035 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $ |
| 37 | .Dd $Mdocdate: October 4 2012 $ | 37 | .Dd $Mdocdate: December 2 2012 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -602,6 +602,8 @@ should only use the authentication identity files configured in the | |||
| 602 | files, | 602 | files, |
| 603 | even if | 603 | even if |
| 604 | .Xr ssh-agent 1 | 604 | .Xr ssh-agent 1 |
| 605 | or a | ||
| 606 | .Cm PKCS11Provider | ||
| 605 | offers more identities. | 607 | offers more identities. |
| 606 | The argument to this keyword must be | 608 | The argument to this keyword must be |
| 607 | .Dq yes | 609 | .Dq yes |
diff --git a/sshconnect2.c b/sshconnect2.c index 7c369d743..6791ea344 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -1359,7 +1359,7 @@ load_identity_file(char *filename) | |||
| 1359 | static void | 1359 | static void |
| 1360 | pubkey_prepare(Authctxt *authctxt) | 1360 | pubkey_prepare(Authctxt *authctxt) |
| 1361 | { | 1361 | { |
| 1362 | Identity *id; | 1362 | Identity *id, *id2, *tmp; |
| 1363 | Idlist agent, files, *preferred; | 1363 | Idlist agent, files, *preferred; |
| 1364 | Key *key; | 1364 | Key *key; |
| 1365 | AuthenticationConnection *ac; | 1365 | AuthenticationConnection *ac; |
| @@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1371 | preferred = &authctxt->keys; | 1371 | preferred = &authctxt->keys; |
| 1372 | TAILQ_INIT(preferred); /* preferred order of keys */ | 1372 | TAILQ_INIT(preferred); /* preferred order of keys */ |
| 1373 | 1373 | ||
| 1374 | /* list of keys stored in the filesystem */ | 1374 | /* list of keys stored in the filesystem and PKCS#11 */ |
| 1375 | for (i = 0; i < options.num_identity_files; i++) { | 1375 | for (i = 0; i < options.num_identity_files; i++) { |
| 1376 | key = options.identity_keys[i]; | 1376 | key = options.identity_keys[i]; |
| 1377 | if (key && key->type == KEY_RSA1) | 1377 | if (key && key->type == KEY_RSA1) |
| @@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1384 | id->filename = xstrdup(options.identity_files[i]); | 1384 | id->filename = xstrdup(options.identity_files[i]); |
| 1385 | TAILQ_INSERT_TAIL(&files, id, next); | 1385 | TAILQ_INSERT_TAIL(&files, id, next); |
| 1386 | } | 1386 | } |
| 1387 | /* Prefer PKCS11 keys that are explicitly listed */ | ||
| 1388 | TAILQ_FOREACH_SAFE(id, &files, next, tmp) { | ||
| 1389 | if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) | ||
| 1390 | continue; | ||
| 1391 | found = 0; | ||
| 1392 | TAILQ_FOREACH(id2, &files, next) { | ||
| 1393 | if (id2->key == NULL || | ||
| 1394 | (id2->key->flags & KEY_FLAG_EXT) != 0) | ||
| 1395 | continue; | ||
| 1396 | if (key_equal(id->key, id2->key)) { | ||
| 1397 | TAILQ_REMOVE(&files, id, next); | ||
| 1398 | TAILQ_INSERT_TAIL(preferred, id, next); | ||
| 1399 | found = 1; | ||
| 1400 | break; | ||
| 1401 | } | ||
| 1402 | } | ||
| 1403 | /* If IdentitiesOnly set and key not found then don't use it */ | ||
| 1404 | if (!found && options.identities_only) { | ||
| 1405 | TAILQ_REMOVE(&files, id, next); | ||
| 1406 | bzero(id, sizeof(id)); | ||
| 1407 | free(id); | ||
| 1408 | } | ||
| 1409 | } | ||
| 1387 | /* list of keys supported by the agent */ | 1410 | /* list of keys supported by the agent */ |
| 1388 | if ((ac = ssh_get_authentication_connection())) { | 1411 | if ((ac = ssh_get_authentication_connection())) { |
| 1389 | for (key = ssh_get_first_identity(ac, &comment, 2); | 1412 | for (key = ssh_get_first_identity(ac, &comment, 2); |