upstream: Restrict ssh-agent from signing web challenges for FIDO

keys.

When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently pubkey authentication and sshsig signatures).

This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.

Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.

ok markus@

OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19

0 files changed, 0 insertions, 0 deletions