summaryrefslogtreecommitdiff
path: root/kexgen.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-05-26 01:26:58 +0000
committerDamien Miller <djm@mindrot.org>2020-05-27 10:14:45 +1000
commit0c111eb84efba7c2a38b2cc3278901a0123161b9 (patch)
treed76647bcf949c959a4f8a2019b079961db8f1c8a /kexgen.c
parent9c5f64b6cb3a68b99915202d318b842c6c76cf14 (diff)
upstream: Restrict ssh-agent from signing web challenges for FIDO
keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently pubkey authentication and sshsig signatures). This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too. Note that the converse case of web browsers signing SSH challenges is already precluded because no web RP can have the "ssh:" prefix in the application string that we require. ok markus@ OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
Diffstat (limited to 'kexgen.c')
0 files changed, 0 insertions, 0 deletions