upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e

1 files changed, 3 insertions, 2 deletions

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0ef982a48..b656b1f8c 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.97 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -225,7 +225,8 @@ userauth_pubkey(struct ssh *ssh)
                             __func__, sig_details->sk_counter,
                             sig_details->sk_flags);
                         req_presence = (options.pubkey_auth_options &
-                            PUBKEYAUTH_TOUCH_REQUIRED);
+                            PUBKEYAUTH_TOUCH_REQUIRED) ||
+                            !authopts->no_require_user_presence;
                         if (req_presence && (sig_details->sk_flags &
                             SSH_SK_USER_PRESENCE_REQD) == 0) {
                                 error("public key %s signature for %s%s from "