diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:52:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
commit | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch) | |
tree | d7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /auth2-pubkey.c | |
parent | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff) |
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 2b6986709..0ef982a48 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.95 2019/11/25 00:51:37 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -68,6 +68,7 @@ | |||
68 | #include "ssherr.h" | 68 | #include "ssherr.h" |
69 | #include "channels.h" /* XXX for session.h */ | 69 | #include "channels.h" /* XXX for session.h */ |
70 | #include "session.h" /* XXX for child_set_env(); refactor? */ | 70 | #include "session.h" /* XXX for child_set_env(); refactor? */ |
71 | #include "sk-api.h" | ||
71 | 72 | ||
72 | /* import */ | 73 | /* import */ |
73 | extern ServerOptions options; | 74 | extern ServerOptions options; |
@@ -96,7 +97,7 @@ userauth_pubkey(struct ssh *ssh) | |||
96 | u_char *pkblob = NULL, *sig = NULL, have_sig; | 97 | u_char *pkblob = NULL, *sig = NULL, have_sig; |
97 | size_t blen, slen; | 98 | size_t blen, slen; |
98 | int r, pktype; | 99 | int r, pktype; |
99 | int authenticated = 0; | 100 | int req_presence = 0, authenticated = 0; |
100 | struct sshauthopt *authopts = NULL; | 101 | struct sshauthopt *authopts = NULL; |
101 | struct sshkey_sig_details *sig_details = NULL; | 102 | struct sshkey_sig_details *sig_details = NULL; |
102 | 103 | ||
@@ -217,10 +218,25 @@ userauth_pubkey(struct ssh *ssh) | |||
217 | ssh->compat, &sig_details)) == 0) { | 218 | ssh->compat, &sig_details)) == 0) { |
218 | authenticated = 1; | 219 | authenticated = 1; |
219 | } | 220 | } |
220 | if (sig_details != NULL) { | 221 | if (authenticated == 1 && sig_details != NULL) { |
222 | auth2_record_info(authctxt, "signature count = %u", | ||
223 | sig_details->sk_counter); | ||
221 | debug("%s: sk_counter = %u, sk_flags = 0x%02x", | 224 | debug("%s: sk_counter = %u, sk_flags = 0x%02x", |
222 | __func__, sig_details->sk_counter, | 225 | __func__, sig_details->sk_counter, |
223 | sig_details->sk_flags); | 226 | sig_details->sk_flags); |
227 | req_presence = (options.pubkey_auth_options & | ||
228 | PUBKEYAUTH_TOUCH_REQUIRED); | ||
229 | if (req_presence && (sig_details->sk_flags & | ||
230 | SSH_SK_USER_PRESENCE_REQD) == 0) { | ||
231 | error("public key %s signature for %s%s from " | ||
232 | "%.128s port %d rejected: user presence " | ||
233 | "(key touch) requirement not met ", key_s, | ||
234 | authctxt->valid ? "" : "invalid user ", | ||
235 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
236 | ssh_remote_port(ssh)); | ||
237 | authenticated = 0; | ||
238 | goto done; | ||
239 | } | ||
224 | } | 240 | } |
225 | auth2_record_key(authctxt, authenticated, key); | 241 | auth2_record_key(authctxt, authenticated, key); |
226 | } else { | 242 | } else { |