diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:52:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
commit | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch) | |
tree | d7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /monitor.c | |
parent | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff) |
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 63 |
1 files changed, 39 insertions, 24 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.202 2019/11/25 00:51:37 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.203 2019/11/25 00:52:46 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -95,6 +95,7 @@ | |||
95 | #include "authfd.h" | 95 | #include "authfd.h" |
96 | #include "match.h" | 96 | #include "match.h" |
97 | #include "ssherr.h" | 97 | #include "ssherr.h" |
98 | #include "sk-api.h" | ||
98 | 99 | ||
99 | #ifdef GSSAPI | 100 | #ifdef GSSAPI |
100 | static Gssctxt *gsscontext = NULL; | 101 | static Gssctxt *gsscontext = NULL; |
@@ -542,7 +543,7 @@ monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, | |||
542 | 543 | ||
543 | /* allowed key state */ | 544 | /* allowed key state */ |
544 | static int | 545 | static int |
545 | monitor_allowed_key(u_char *blob, u_int bloblen) | 546 | monitor_allowed_key(const u_char *blob, u_int bloblen) |
546 | { | 547 | { |
547 | /* make sure key is allowed */ | 548 | /* make sure key is allowed */ |
548 | if (key_blob == NULL || key_bloblen != bloblen || | 549 | if (key_blob == NULL || key_bloblen != bloblen || |
@@ -1247,7 +1248,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1247 | } | 1248 | } |
1248 | 1249 | ||
1249 | static int | 1250 | static int |
1250 | monitor_valid_userblob(u_char *data, u_int datalen) | 1251 | monitor_valid_userblob(const u_char *data, u_int datalen) |
1251 | { | 1252 | { |
1252 | struct sshbuf *b; | 1253 | struct sshbuf *b; |
1253 | const u_char *p; | 1254 | const u_char *p; |
@@ -1256,10 +1257,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) | |||
1256 | u_char type; | 1257 | u_char type; |
1257 | int r, fail = 0; | 1258 | int r, fail = 0; |
1258 | 1259 | ||
1259 | if ((b = sshbuf_new()) == NULL) | 1260 | if ((b = sshbuf_from(data, datalen)) == NULL) |
1260 | fatal("%s: sshbuf_new", __func__); | 1261 | fatal("%s: sshbuf_from", __func__); |
1261 | if ((r = sshbuf_put(b, data, datalen)) != 0) | ||
1262 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1263 | 1262 | ||
1264 | if (datafellows & SSH_OLD_SESSIONID) { | 1263 | if (datafellows & SSH_OLD_SESSIONID) { |
1265 | p = sshbuf_ptr(b); | 1264 | p = sshbuf_ptr(b); |
@@ -1314,8 +1313,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) | |||
1314 | } | 1313 | } |
1315 | 1314 | ||
1316 | static int | 1315 | static int |
1317 | monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | 1316 | monitor_valid_hostbasedblob(const u_char *data, u_int datalen, |
1318 | char *chost) | 1317 | const char *cuser, const char *chost) |
1319 | { | 1318 | { |
1320 | struct sshbuf *b; | 1319 | struct sshbuf *b; |
1321 | const u_char *p; | 1320 | const u_char *p; |
@@ -1324,10 +1323,9 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | |||
1324 | int r, fail = 0; | 1323 | int r, fail = 0; |
1325 | u_char type; | 1324 | u_char type; |
1326 | 1325 | ||
1327 | if ((b = sshbuf_new()) == NULL) | 1326 | if ((b = sshbuf_from(data, datalen)) == NULL) |
1328 | fatal("%s: sshbuf_new", __func__); | 1327 | fatal("%s: sshbuf_new", __func__); |
1329 | if ((r = sshbuf_put(b, data, datalen)) != 0 || | 1328 | if ((r = sshbuf_get_string_direct(b, &p, &len)) != 0) |
1330 | (r = sshbuf_get_string_direct(b, &p, &len)) != 0) | ||
1331 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1329 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1332 | 1330 | ||
1333 | if ((session_id2 == NULL) || | 1331 | if ((session_id2 == NULL) || |
@@ -1387,15 +1385,15 @@ int | |||
1387 | mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | 1385 | mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) |
1388 | { | 1386 | { |
1389 | struct sshkey *key; | 1387 | struct sshkey *key; |
1390 | u_char *signature, *data, *blob; | 1388 | const u_char *signature, *data, *blob; |
1391 | char *sigalg; | 1389 | char *sigalg = NULL, *fp = NULL; |
1392 | size_t signaturelen, datalen, bloblen; | 1390 | size_t signaturelen, datalen, bloblen; |
1393 | int r, ret, valid_data = 0, encoded_ret; | 1391 | int r, ret, req_presence = 0, valid_data = 0, encoded_ret; |
1394 | struct sshkey_sig_details *sig_details = NULL; | 1392 | struct sshkey_sig_details *sig_details = NULL; |
1395 | 1393 | ||
1396 | if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || | 1394 | if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || |
1397 | (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || | 1395 | (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || |
1398 | (r = sshbuf_get_string(m, &data, &datalen)) != 0 || | 1396 | (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || |
1399 | (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) | 1397 | (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) |
1400 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1398 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
1401 | 1399 | ||
@@ -1430,23 +1428,36 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1430 | if (!valid_data) | 1428 | if (!valid_data) |
1431 | fatal("%s: bad signature data blob", __func__); | 1429 | fatal("%s: bad signature data blob", __func__); |
1432 | 1430 | ||
1431 | if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, | ||
1432 | SSH_FP_DEFAULT)) == NULL) | ||
1433 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
1434 | |||
1433 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, | 1435 | ret = sshkey_verify(key, signature, signaturelen, data, datalen, |
1434 | sigalg, ssh->compat, &sig_details); | 1436 | sigalg, ssh->compat, &sig_details); |
1435 | debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, | 1437 | debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, |
1436 | (ret == 0) ? "verified" : "unverified", | 1438 | (ret == 0) ? "verified" : "unverified", |
1437 | (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); | 1439 | (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); |
1438 | auth2_record_key(authctxt, ret == 0, key); | ||
1439 | 1440 | ||
1440 | free(blob); | 1441 | if (ret == 0 && key_blobtype == MM_USERKEY && sig_details != NULL) { |
1441 | free(signature); | 1442 | req_presence = (options.pubkey_auth_options & |
1442 | free(data); | 1443 | PUBKEYAUTH_TOUCH_REQUIRED); |
1443 | free(sigalg); | 1444 | if (req_presence && |
1445 | (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { | ||
1446 | error("public key %s %s signature for %s%s from %.128s " | ||
1447 | "port %d rejected: user presence (key touch) " | ||
1448 | "requirement not met ", sshkey_type(key), fp, | ||
1449 | authctxt->valid ? "" : "invalid user ", | ||
1450 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
1451 | ssh_remote_port(ssh)); | ||
1452 | ret = SSH_ERR_SIGNATURE_INVALID; | ||
1453 | } | ||
1454 | } | ||
1455 | auth2_record_key(authctxt, ret == 0, key); | ||
1444 | 1456 | ||
1445 | if (key_blobtype == MM_USERKEY) | 1457 | if (key_blobtype == MM_USERKEY) |
1446 | auth_activate_options(ssh, key_opts); | 1458 | auth_activate_options(ssh, key_opts); |
1447 | monitor_reset_key_state(); | 1459 | monitor_reset_key_state(); |
1448 | 1460 | ||
1449 | sshkey_free(key); | ||
1450 | sshbuf_reset(m); | 1461 | sshbuf_reset(m); |
1451 | 1462 | ||
1452 | /* encode ret != 0 as positive integer, since we're sending u32 */ | 1463 | /* encode ret != 0 as positive integer, since we're sending u32 */ |
@@ -1462,6 +1473,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1462 | sshkey_sig_details_free(sig_details); | 1473 | sshkey_sig_details_free(sig_details); |
1463 | mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); | 1474 | mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); |
1464 | 1475 | ||
1476 | free(sigalg); | ||
1477 | free(fp); | ||
1478 | sshkey_free(key); | ||
1479 | |||
1465 | return ret == 0; | 1480 | return ret == 0; |
1466 | } | 1481 | } |
1467 | 1482 | ||