summaryrefslogtreecommitdiff
path: root/auth-options.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-08-27 01:07:09 +0000
committerDamien Miller <djm@mindrot.org>2020-08-27 11:28:36 +1000
commit801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch)
tree6c6416d6d926939b208eb1f1181f196a554e0734 /auth-options.c
parent9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff)
upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/auth-options.c b/auth-options.c
index 696ba6ac6..98afdf5fe 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.92 2020/03/06 18:15:38 markus Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.93 2020/08/27 01:07:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -119,7 +119,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
119 } 119 }
120 } 120 }
121 if (!found && (which & OPTIONS_CRITICAL) != 0) { 121 if (!found && (which & OPTIONS_CRITICAL) != 0) {
122 if (strcmp(name, "force-command") == 0) { 122 if (strcmp(name, "verify-required") == 0) {
123 opts->require_verify = 1;
124 found = 1;
125 } else if (strcmp(name, "force-command") == 0) {
123 if ((r = sshbuf_get_cstring(data, &command, 126 if ((r = sshbuf_get_cstring(data, &command,
124 NULL)) != 0) { 127 NULL)) != 0) {
125 error("Unable to parse \"%s\" " 128 error("Unable to parse \"%s\" "
@@ -134,8 +137,7 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
134 } 137 }
135 opts->force_command = command; 138 opts->force_command = command;
136 found = 1; 139 found = 1;
137 } 140 } else if (strcmp(name, "source-address") == 0) {
138 if (strcmp(name, "source-address") == 0) {
139 if ((r = sshbuf_get_cstring(data, &allowed, 141 if ((r = sshbuf_get_cstring(data, &allowed,
140 NULL)) != 0) { 142 NULL)) != 0) {
141 error("Unable to parse \"%s\" " 143 error("Unable to parse \"%s\" "
@@ -351,6 +353,8 @@ sshauthopt_parse(const char *opts, const char **errstrp)
351 ret->permit_x11_forwarding_flag = r == 1; 353 ret->permit_x11_forwarding_flag = r == 1;
352 } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { 354 } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
353 ret->no_require_user_presence = r != 1; /* NB. flip */ 355 ret->no_require_user_presence = r != 1; /* NB. flip */
356 } else if ((r = opt_flag("verify-required", 1, &opts)) != -1) {
357 ret->require_verify = r == 1;
354 } else if ((r = opt_flag("pty", 1, &opts)) != -1) { 358 } else if ((r = opt_flag("pty", 1, &opts)) != -1) {
355 ret->permit_pty_flag = r == 1; 359 ret->permit_pty_flag = r == 1;
356 } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { 360 } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -572,6 +576,7 @@ sshauthopt_merge(const struct sshauthopt *primary,
572 } 576 }
573 577
574#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) 578#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
579#define OPTFLAG_OR(x) ret->x = (primary->x == 1) || (additional->x == 1)
575 /* Permissive flags are logical-AND (i.e. must be set in both) */ 580 /* Permissive flags are logical-AND (i.e. must be set in both) */
576 OPTFLAG_AND(permit_port_forwarding_flag); 581 OPTFLAG_AND(permit_port_forwarding_flag);
577 OPTFLAG_AND(permit_agent_forwarding_flag); 582 OPTFLAG_AND(permit_agent_forwarding_flag);
@@ -579,6 +584,8 @@ sshauthopt_merge(const struct sshauthopt *primary,
579 OPTFLAG_AND(permit_pty_flag); 584 OPTFLAG_AND(permit_pty_flag);
580 OPTFLAG_AND(permit_user_rc); 585 OPTFLAG_AND(permit_user_rc);
581 OPTFLAG_AND(no_require_user_presence); 586 OPTFLAG_AND(no_require_user_presence);
587 /* Restrictive flags are logical-OR (i.e. must be set in either) */
588 OPTFLAG_OR(require_verify);
582#undef OPTFLAG_AND 589#undef OPTFLAG_AND
583 590
584 /* Earliest expiry time should win */ 591 /* Earliest expiry time should win */
@@ -649,6 +656,7 @@ sshauthopt_copy(const struct sshauthopt *orig)
649 OPTSCALAR(force_tun_device); 656 OPTSCALAR(force_tun_device);
650 OPTSCALAR(valid_before); 657 OPTSCALAR(valid_before);
651 OPTSCALAR(no_require_user_presence); 658 OPTSCALAR(no_require_user_presence);
659 OPTSCALAR(require_verify);
652#undef OPTSCALAR 660#undef OPTSCALAR
653#define OPTSTRING(x) \ 661#define OPTSTRING(x) \
654 do { \ 662 do { \
@@ -781,7 +789,8 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
781 (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || 789 (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
782 (r = sshbuf_put_u8(m, opts->restricted)) != 0 || 790 (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
783 (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || 791 (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
784 (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) 792 (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0 ||
793 (r = sshbuf_put_u8(m, opts->require_verify)) != 0)
785 return r; 794 return r;
786 795
787 /* Simple integer options */ 796 /* Simple integer options */
@@ -844,6 +853,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
844 OPT_FLAG(restricted); 853 OPT_FLAG(restricted);
845 OPT_FLAG(cert_authority); 854 OPT_FLAG(cert_authority);
846 OPT_FLAG(no_require_user_presence); 855 OPT_FLAG(no_require_user_presence);
856 OPT_FLAG(require_verify);
847#undef OPT_FLAG 857#undef OPT_FLAG
848 858
849 /* Simple integer options */ 859 /* Simple integer options */
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-18 12:47:17 +0000