diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-10-31 21:18:28 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-01 09:46:09 +1100 |
| commit | 884416bdb10468f1252e4d7c13d51b43dccba7f6 (patch) | |
| tree | f81dc3ed23cddcda6163102363c5dc75a63430e6 /readconf.c | |
| parent | 01a0670f69c5b86e471e033b92145d6c7cc77c58 (diff) | |
upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
Diffstat (limited to 'readconf.c')
| -rw-r--r-- | readconf.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/readconf.c b/readconf.c index f78b4d6fe..f18194580 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.310 2019/10/31 21:18:28 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -174,6 +174,7 @@ typedef enum { | |||
| 174 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 174 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
| 175 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 175 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
| 176 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, | 176 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
| 177 | oSecurityKeyProvider, | ||
| 177 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 178 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
| 178 | } OpCodes; | 179 | } OpCodes; |
| 179 | 180 | ||
| @@ -214,6 +215,7 @@ static struct { | |||
| 214 | { "smartcarddevice", oUnsupported }, | 215 | { "smartcarddevice", oUnsupported }, |
| 215 | { "pkcs11provider", oUnsupported }, | 216 | { "pkcs11provider", oUnsupported }, |
| 216 | #endif | 217 | #endif |
| 218 | { "securitykeyprovider", oSecurityKeyProvider }, | ||
| 217 | { "rsaauthentication", oUnsupported }, | 219 | { "rsaauthentication", oUnsupported }, |
| 218 | { "rhostsrsaauthentication", oUnsupported }, | 220 | { "rhostsrsaauthentication", oUnsupported }, |
| 219 | { "compressionlevel", oUnsupported }, | 221 | { "compressionlevel", oUnsupported }, |
| @@ -1146,6 +1148,10 @@ parse_char_array: | |||
| 1146 | charptr = &options->pkcs11_provider; | 1148 | charptr = &options->pkcs11_provider; |
| 1147 | goto parse_string; | 1149 | goto parse_string; |
| 1148 | 1150 | ||
| 1151 | case oSecurityKeyProvider: | ||
| 1152 | charptr = &options->sk_provider; | ||
| 1153 | goto parse_string; | ||
| 1154 | |||
| 1149 | case oProxyCommand: | 1155 | case oProxyCommand: |
| 1150 | charptr = &options->proxy_command; | 1156 | charptr = &options->proxy_command; |
| 1151 | /* Ignore ProxyCommand if ProxyJump already specified */ | 1157 | /* Ignore ProxyCommand if ProxyJump already specified */ |
| @@ -1906,6 +1912,7 @@ initialize_options(Options * options) | |||
| 1906 | options->bind_address = NULL; | 1912 | options->bind_address = NULL; |
| 1907 | options->bind_interface = NULL; | 1913 | options->bind_interface = NULL; |
| 1908 | options->pkcs11_provider = NULL; | 1914 | options->pkcs11_provider = NULL; |
| 1915 | options->sk_provider = NULL; | ||
| 1909 | options->enable_ssh_keysign = - 1; | 1916 | options->enable_ssh_keysign = - 1; |
| 1910 | options->no_host_authentication_for_localhost = - 1; | 1917 | options->no_host_authentication_for_localhost = - 1; |
| 1911 | options->identities_only = - 1; | 1918 | options->identities_only = - 1; |
| @@ -2043,6 +2050,8 @@ fill_default_options(Options * options) | |||
| 2043 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); | 2050 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); |
| 2044 | #ifdef OPENSSL_HAS_ECC | 2051 | #ifdef OPENSSL_HAS_ECC |
| 2045 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); | 2052 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); |
| 2053 | add_identity_file(options, "~/", | ||
| 2054 | _PATH_SSH_CLIENT_ID_ECDSA_SK, 0); | ||
| 2046 | #endif | 2055 | #endif |
| 2047 | add_identity_file(options, "~/", | 2056 | add_identity_file(options, "~/", |
| 2048 | _PATH_SSH_CLIENT_ID_ED25519, 0); | 2057 | _PATH_SSH_CLIENT_ID_ED25519, 0); |
| @@ -2118,6 +2127,8 @@ fill_default_options(Options * options) | |||
| 2118 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 2127 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
| 2119 | if (options->update_hostkeys == -1) | 2128 | if (options->update_hostkeys == -1) |
| 2120 | options->update_hostkeys = 0; | 2129 | options->update_hostkeys = 0; |
| 2130 | if (options->sk_provider == NULL) | ||
| 2131 | options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); | ||
| 2121 | 2132 | ||
| 2122 | /* Expand KEX name lists */ | 2133 | /* Expand KEX name lists */ |
| 2123 | all_cipher = cipher_alg_list(',', 0); | 2134 | all_cipher = cipher_alg_list(',', 0); |
| @@ -2135,7 +2146,7 @@ fill_default_options(Options * options) | |||
| 2135 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2146 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); |
| 2136 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2147 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); |
| 2137 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2148 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
| 2138 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2149 | ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); |
| 2139 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2150 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
| 2140 | #undef ASSEMBLE | 2151 | #undef ASSEMBLE |
| 2141 | free(all_cipher); | 2152 | free(all_cipher); |
| @@ -2157,6 +2168,7 @@ fill_default_options(Options * options) | |||
| 2157 | CLEAR_ON_NONE(options->control_path); | 2168 | CLEAR_ON_NONE(options->control_path); |
| 2158 | CLEAR_ON_NONE(options->revoked_host_keys); | 2169 | CLEAR_ON_NONE(options->revoked_host_keys); |
| 2159 | CLEAR_ON_NONE(options->pkcs11_provider); | 2170 | CLEAR_ON_NONE(options->pkcs11_provider); |
| 2171 | CLEAR_ON_NONE(options->sk_provider); | ||
| 2160 | if (options->jump_host != NULL && | 2172 | if (options->jump_host != NULL && |
| 2161 | strcmp(options->jump_host, "none") == 0 && | 2173 | strcmp(options->jump_host, "none") == 0 && |
| 2162 | options->jump_port == 0 && options->jump_user == NULL) { | 2174 | options->jump_port == 0 && options->jump_user == NULL) { |
| @@ -2673,6 +2685,7 @@ dump_client_config(Options *o, const char *host) | |||
| 2673 | #ifdef ENABLE_PKCS11 | 2685 | #ifdef ENABLE_PKCS11 |
| 2674 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2686 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
| 2675 | #endif | 2687 | #endif |
| 2688 | dump_cfg_string(oSecurityKeyProvider, o->sk_provider); | ||
| 2676 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); | 2689 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); |
| 2677 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); | 2690 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
| 2678 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); | 2691 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); |