summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-25 00:52:46 +0000
committerDamien Miller <djm@mindrot.org>2019-11-25 12:23:40 +1100
commit0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch)
treed7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /auth2-pubkey.c
parentb7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff)
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c22
1 files changed, 19 insertions, 3 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2b6986709..0ef982a48 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.95 2019/11/25 00:51:37 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -68,6 +68,7 @@
68#include "ssherr.h" 68#include "ssherr.h"
69#include "channels.h" /* XXX for session.h */ 69#include "channels.h" /* XXX for session.h */
70#include "session.h" /* XXX for child_set_env(); refactor? */ 70#include "session.h" /* XXX for child_set_env(); refactor? */
71#include "sk-api.h"
71 72
72/* import */ 73/* import */
73extern ServerOptions options; 74extern ServerOptions options;
@@ -96,7 +97,7 @@ userauth_pubkey(struct ssh *ssh)
96 u_char *pkblob = NULL, *sig = NULL, have_sig; 97 u_char *pkblob = NULL, *sig = NULL, have_sig;
97 size_t blen, slen; 98 size_t blen, slen;
98 int r, pktype; 99 int r, pktype;
99 int authenticated = 0; 100 int req_presence = 0, authenticated = 0;
100 struct sshauthopt *authopts = NULL; 101 struct sshauthopt *authopts = NULL;
101 struct sshkey_sig_details *sig_details = NULL; 102 struct sshkey_sig_details *sig_details = NULL;
102 103
@@ -217,10 +218,25 @@ userauth_pubkey(struct ssh *ssh)
217 ssh->compat, &sig_details)) == 0) { 218 ssh->compat, &sig_details)) == 0) {
218 authenticated = 1; 219 authenticated = 1;
219 } 220 }
220 if (sig_details != NULL) { 221 if (authenticated == 1 && sig_details != NULL) {
222 auth2_record_info(authctxt, "signature count = %u",
223 sig_details->sk_counter);
221 debug("%s: sk_counter = %u, sk_flags = 0x%02x", 224 debug("%s: sk_counter = %u, sk_flags = 0x%02x",
222 __func__, sig_details->sk_counter, 225 __func__, sig_details->sk_counter,
223 sig_details->sk_flags); 226 sig_details->sk_flags);
227 req_presence = (options.pubkey_auth_options &
228 PUBKEYAUTH_TOUCH_REQUIRED);
229 if (req_presence && (sig_details->sk_flags &
230 SSH_SK_USER_PRESENCE_REQD) == 0) {
231 error("public key %s signature for %s%s from "
232 "%.128s port %d rejected: user presence "
233 "(key touch) requirement not met ", key_s,
234 authctxt->valid ? "" : "invalid user ",
235 authctxt->user, ssh_remote_ipaddr(ssh),
236 ssh_remote_port(ssh));
237 authenticated = 0;
238 goto done;
239 }
224 } 240 }
225 auth2_record_key(authctxt, authenticated, key); 241 auth2_record_key(authctxt, authenticated, key);
226 } else { 242 } else {