upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
author: djm@openbsd.org <djm@openbsd.org> 2019-11-25 00:54:23 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-25 12:23:40 +1100
commit: 2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree: b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /auth-options.c
parent: 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
1 files changed, 26 insertions, 12 deletions
diff --git a/auth-options.c b/auth-options.c
index 90b0d7f25..2d200944c 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */
 /*
 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
 *
@@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
                    name, sshbuf_len(data));
                found = 0;
                if ((which & OPTIONS_EXTENSIONS) != 0) {
-                        if (strcmp(name, "permit-X11-forwarding") == 0) {
+                        if (strcmp(name, "no-touch-required") == 0) {
+                                opts->no_require_user_presence = 1;
+                                found = 1;
+                        } else if (strcmp(name, "permit-X11-forwarding") == 0) {
                                opts->permit_x11_forwarding_flag = 1;
                                found = 1;
                        } else if (strcmp(name,
@@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp)
                        ret->permit_agent_forwarding_flag = r == 1;
                } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
                        ret->permit_x11_forwarding_flag = r == 1;
+                } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
+                        ret->no_require_user_presence = r != 1; /* NB. flip */
                } else if ((r = opt_flag("pty", 1, &opts)) != -1) {
                        ret->permit_pty_flag = r == 1;
                } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary,
                        goto alloc_fail;
        }
-        /* Flags are logical-AND (i.e. must be set in both for permission) */
+#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
-#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
+        /* Permissive flags are logical-AND (i.e. must be set in both) */
-        OPTFLAG(permit_port_forwarding_flag);
+        OPTFLAG_AND(permit_port_forwarding_flag);
-        OPTFLAG(permit_agent_forwarding_flag);
+        OPTFLAG_AND(permit_agent_forwarding_flag);
-        OPTFLAG(permit_x11_forwarding_flag);
+        OPTFLAG_AND(permit_x11_forwarding_flag);
-        OPTFLAG(permit_pty_flag);
+        OPTFLAG_AND(permit_pty_flag);
-        OPTFLAG(permit_user_rc);
+        OPTFLAG_AND(permit_user_rc);
-#undef OPTFLAG
+        OPTFLAG_AND(no_require_user_presence);
+#undef OPTFLAG_AND
        /* Earliest expiry time should win */
        if (primary->valid_before != 0)
@@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig)
        OPTSCALAR(cert_authority);
        OPTSCALAR(force_tun_device);
        OPTSCALAR(valid_before);
+        OPTSCALAR(no_require_user_presence);
 #undef OPTSCALAR
 #define OPTSTRING(x) \
        do { \
@@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
 {
        int r = SSH_ERR_INTERNAL_ERROR;
-        /* Flag and simple integer options */
+        /* Flag options */
        if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
            (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
            (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
@@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
            (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
            (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
            (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
-            (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+            (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0)
+                return r;
+        /* Simple integer options */
+        if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0)
                return r;
        /* tunnel number can be negative to indicate "unset" */
@@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
        if ((opts = calloc(1, sizeof(*opts))) == NULL)
                return SSH_ERR_ALLOC_FAIL;
+        /* Flag options */
 #define OPT_FLAG(x) \
        do { \
                if ((r = sshbuf_get_u8(m, &f)) != 0) \
@@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
        OPT_FLAG(permit_user_rc);
        OPT_FLAG(restricted);
        OPT_FLAG(cert_authority);
+        OPT_FLAG(no_require_user_presence);
 #undef OPT_FLAG
+        /* Simple integer options */
        if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
                goto out;
author	djm@openbsd.org <djm@openbsd.org>	2019-11-25 00:54:23 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-25 12:23:40 +1100
commit	2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree	b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /auth-options.c
parent	0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)