summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-10-31 21:18:28 +0000
committerDamien Miller <djm@mindrot.org>2019-11-01 09:46:09 +1100
commit884416bdb10468f1252e4d7c13d51b43dccba7f6 (patch)
treef81dc3ed23cddcda6163102363c5dc75a63430e6 /readconf.c
parent01a0670f69c5b86e471e033b92145d6c7cc77c58 (diff)
upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/readconf.c b/readconf.c
index f78b4d6fe..f18194580 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ 1/* $OpenBSD: readconf.c,v 1.310 2019/10/31 21:18:28 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -174,6 +174,7 @@ typedef enum {
174 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 174 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
175 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 175 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
176 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, 176 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
177 oSecurityKeyProvider,
177 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 178 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
178} OpCodes; 179} OpCodes;
179 180
@@ -214,6 +215,7 @@ static struct {
214 { "smartcarddevice", oUnsupported }, 215 { "smartcarddevice", oUnsupported },
215 { "pkcs11provider", oUnsupported }, 216 { "pkcs11provider", oUnsupported },
216#endif 217#endif
218 { "securitykeyprovider", oSecurityKeyProvider },
217 { "rsaauthentication", oUnsupported }, 219 { "rsaauthentication", oUnsupported },
218 { "rhostsrsaauthentication", oUnsupported }, 220 { "rhostsrsaauthentication", oUnsupported },
219 { "compressionlevel", oUnsupported }, 221 { "compressionlevel", oUnsupported },
@@ -1146,6 +1148,10 @@ parse_char_array:
1146 charptr = &options->pkcs11_provider; 1148 charptr = &options->pkcs11_provider;
1147 goto parse_string; 1149 goto parse_string;
1148 1150
1151 case oSecurityKeyProvider:
1152 charptr = &options->sk_provider;
1153 goto parse_string;
1154
1149 case oProxyCommand: 1155 case oProxyCommand:
1150 charptr = &options->proxy_command; 1156 charptr = &options->proxy_command;
1151 /* Ignore ProxyCommand if ProxyJump already specified */ 1157 /* Ignore ProxyCommand if ProxyJump already specified */
@@ -1906,6 +1912,7 @@ initialize_options(Options * options)
1906 options->bind_address = NULL; 1912 options->bind_address = NULL;
1907 options->bind_interface = NULL; 1913 options->bind_interface = NULL;
1908 options->pkcs11_provider = NULL; 1914 options->pkcs11_provider = NULL;
1915 options->sk_provider = NULL;
1909 options->enable_ssh_keysign = - 1; 1916 options->enable_ssh_keysign = - 1;
1910 options->no_host_authentication_for_localhost = - 1; 1917 options->no_host_authentication_for_localhost = - 1;
1911 options->identities_only = - 1; 1918 options->identities_only = - 1;
@@ -2043,6 +2050,8 @@ fill_default_options(Options * options)
2043 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); 2050 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
2044#ifdef OPENSSL_HAS_ECC 2051#ifdef OPENSSL_HAS_ECC
2045 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); 2052 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
2053 add_identity_file(options, "~/",
2054 _PATH_SSH_CLIENT_ID_ECDSA_SK, 0);
2046#endif 2055#endif
2047 add_identity_file(options, "~/", 2056 add_identity_file(options, "~/",
2048 _PATH_SSH_CLIENT_ID_ED25519, 0); 2057 _PATH_SSH_CLIENT_ID_ED25519, 0);
@@ -2118,6 +2127,8 @@ fill_default_options(Options * options)
2118 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 2127 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
2119 if (options->update_hostkeys == -1) 2128 if (options->update_hostkeys == -1)
2120 options->update_hostkeys = 0; 2129 options->update_hostkeys = 0;
2130 if (options->sk_provider == NULL)
2131 options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
2121 2132
2122 /* Expand KEX name lists */ 2133 /* Expand KEX name lists */
2123 all_cipher = cipher_alg_list(',', 0); 2134 all_cipher = cipher_alg_list(',', 0);
@@ -2135,7 +2146,7 @@ fill_default_options(Options * options)
2135 ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); 2146 ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
2136 ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); 2147 ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
2137 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); 2148 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
2138 ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); 2149 ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key);
2139 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); 2150 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
2140#undef ASSEMBLE 2151#undef ASSEMBLE
2141 free(all_cipher); 2152 free(all_cipher);
@@ -2157,6 +2168,7 @@ fill_default_options(Options * options)
2157 CLEAR_ON_NONE(options->control_path); 2168 CLEAR_ON_NONE(options->control_path);
2158 CLEAR_ON_NONE(options->revoked_host_keys); 2169 CLEAR_ON_NONE(options->revoked_host_keys);
2159 CLEAR_ON_NONE(options->pkcs11_provider); 2170 CLEAR_ON_NONE(options->pkcs11_provider);
2171 CLEAR_ON_NONE(options->sk_provider);
2160 if (options->jump_host != NULL && 2172 if (options->jump_host != NULL &&
2161 strcmp(options->jump_host, "none") == 0 && 2173 strcmp(options->jump_host, "none") == 0 &&
2162 options->jump_port == 0 && options->jump_user == NULL) { 2174 options->jump_port == 0 && options->jump_user == NULL) {
@@ -2673,6 +2685,7 @@ dump_client_config(Options *o, const char *host)
2673#ifdef ENABLE_PKCS11 2685#ifdef ENABLE_PKCS11
2674 dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); 2686 dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
2675#endif 2687#endif
2688 dump_cfg_string(oSecurityKeyProvider, o->sk_provider);
2676 dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); 2689 dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
2677 dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); 2690 dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2678 dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); 2691 dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);