summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-08-27 01:07:09 +0000
committerDamien Miller <djm@mindrot.org>2020-08-27 11:28:36 +1000
commit801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch)
tree6c6416d6d926939b208eb1f1181f196a554e0734 /monitor.c
parent9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff)
upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index 7c3e6aafe..4cf79dfc9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.213 2020/08/27 01:06:18 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.214 2020/08/27 01:07:09 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1387,7 +1387,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
1387 const u_char *signature, *data, *blob; 1387 const u_char *signature, *data, *blob;
1388 char *sigalg = NULL, *fp = NULL; 1388 char *sigalg = NULL, *fp = NULL;
1389 size_t signaturelen, datalen, bloblen; 1389 size_t signaturelen, datalen, bloblen;
1390 int r, ret, req_presence = 0, valid_data = 0, encoded_ret; 1390 int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
1391 int encoded_ret;
1391 struct sshkey_sig_details *sig_details = NULL; 1392 struct sshkey_sig_details *sig_details = NULL;
1392 1393
1393 if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || 1394 if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
@@ -1452,6 +1453,18 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
1452 ssh_remote_port(ssh)); 1453 ssh_remote_port(ssh));
1453 ret = SSH_ERR_SIGNATURE_INVALID; 1454 ret = SSH_ERR_SIGNATURE_INVALID;
1454 } 1455 }
1456 req_verify = (options.pubkey_auth_options &
1457 PUBKEYAUTH_VERIFY_REQUIRED) || key_opts->require_verify;
1458 if (req_verify &&
1459 (sig_details->sk_flags & SSH_SK_USER_VERIFICATION_REQD) == 0) {
1460 error("public key %s %s signature for %s%s from %.128s "
1461 "port %d rejected: user verification requirement "
1462 "not met ", sshkey_type(key), fp,
1463 authctxt->valid ? "" : "invalid user ",
1464 authctxt->user, ssh_remote_ipaddr(ssh),
1465 ssh_remote_port(ssh));
1466 ret = SSH_ERR_SIGNATURE_INVALID;
1467 }
1455 } 1468 }
1456 auth2_record_key(authctxt, ret == 0, key); 1469 auth2_record_key(authctxt, ret == 0, key);
1457 1470