summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-08-27 01:07:09 +0000
committerDamien Miller <djm@mindrot.org>2020-08-27 11:28:36 +1000
commit801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch)
tree6c6416d6d926939b208eb1f1181f196a554e0734 /auth2-pubkey.c
parent9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff)
upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 815ea0f25..c3ecd9afc 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.100 2020/08/27 01:07:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -97,7 +97,7 @@ userauth_pubkey(struct ssh *ssh)
97 u_char *pkblob = NULL, *sig = NULL, have_sig; 97 u_char *pkblob = NULL, *sig = NULL, have_sig;
98 size_t blen, slen; 98 size_t blen, slen;
99 int r, pktype; 99 int r, pktype;
100 int req_presence = 0, authenticated = 0; 100 int req_presence = 0, req_verify = 0, authenticated = 0;
101 struct sshauthopt *authopts = NULL; 101 struct sshauthopt *authopts = NULL;
102 struct sshkey_sig_details *sig_details = NULL; 102 struct sshkey_sig_details *sig_details = NULL;
103 103
@@ -239,6 +239,20 @@ userauth_pubkey(struct ssh *ssh)
239 authenticated = 0; 239 authenticated = 0;
240 goto done; 240 goto done;
241 } 241 }
242 req_verify = (options.pubkey_auth_options &
243 PUBKEYAUTH_VERIFY_REQUIRED) ||
244 authopts->require_verify;
245 if (req_verify && (sig_details->sk_flags &
246 SSH_SK_USER_VERIFICATION_REQD) == 0) {
247 error("public key %s signature for %s%s from "
248 "%.128s port %d rejected: user "
249 "verification requirement not met ", key_s,
250 authctxt->valid ? "" : "invalid user ",
251 authctxt->user, ssh_remote_ipaddr(ssh),
252 ssh_remote_port(ssh));
253 authenticated = 0;
254 goto done;
255 }
242 } 256 }
243 auth2_record_key(authctxt, authenticated, key); 257 auth2_record_key(authctxt, authenticated, key);
244 } else { 258 } else {