diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-02-04 09:58:04 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-02-04 21:08:10 +1100 |
| commit | d596b1d30dc158915a3979fa409d21ff2465b6ee (patch) | |
| tree | c7c5d1c14cbd5e2e2448043d69b4dc383c56effb | |
| parent | 501f3582438cb2cb1cb92be0f17be490ae96fb23 (diff) | |
upstream: require FIDO application strings to start with "ssh:"; ok
markus@
OpenBSD-Commit-ID: 94e9c1c066d42b76f035a3d58250a32b14000afb
| -rw-r--r-- | ssh-keygen.1 | 6 | ||||
| -rw-r--r-- | ssh-keygen.c | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f0e76aab1..51aee21aa 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.199 2020/02/03 08:15:37 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.200 2020/02/04 09:58:04 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -35,7 +35,7 @@ | |||
| 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 37 | .\" | 37 | .\" |
| 38 | .Dd $Mdocdate: February 3 2020 $ | 38 | .Dd $Mdocdate: February 4 2020 $ |
| 39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -472,6 +472,8 @@ Those supported at present are: | |||
| 472 | Override the default FIDO application/origin string of | 472 | Override the default FIDO application/origin string of |
| 473 | .Dq ssh: . | 473 | .Dq ssh: . |
| 474 | This may be useful when generating host or domain-specific resident keys. | 474 | This may be useful when generating host or domain-specific resident keys. |
| 475 | The specified application string must begin with | ||
| 476 | .Dq ssh: . | ||
| 475 | .It Cm challenge Ns = Ns Ar path | 477 | .It Cm challenge Ns = Ns Ar path |
| 476 | Specifies a path to a challenge string that will be passed to the | 478 | Specifies a path to a challenge string that will be passed to the |
| 477 | FIDO token during key generation. | 479 | FIDO token during key generation. |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 4ee43ab98..2a64622c1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.395 2020/01/28 08:01:34 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.396 2020/02/04 09:58:04 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -3572,6 +3572,10 @@ main(int argc, char **argv) | |||
| 3572 | } else if (strncasecmp(opts[i], | 3572 | } else if (strncasecmp(opts[i], |
| 3573 | "application=", 12) == 0) { | 3573 | "application=", 12) == 0) { |
| 3574 | sk_application = xstrdup(opts[i] + 12); | 3574 | sk_application = xstrdup(opts[i] + 12); |
| 3575 | if (strncmp(sk_application, "ssh:", 4) != 0) { | ||
| 3576 | fatal("FIDO application string must " | ||
| 3577 | "begin with \"ssh:\""); | ||
| 3578 | } | ||
| 3575 | } else { | 3579 | } else { |
| 3576 | fatal("Option \"%s\" is unsupported for " | 3580 | fatal("Option \"%s\" is unsupported for " |
| 3577 | "FIDO authenticator enrollment", opts[i]); | 3581 | "FIDO authenticator enrollment", opts[i]); |