diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-10-31 21:18:28 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-01 09:46:09 +1100 |
commit | 884416bdb10468f1252e4d7c13d51b43dccba7f6 (patch) | |
tree | f81dc3ed23cddcda6163102363c5dc75a63430e6 /readconf.c | |
parent | 01a0670f69c5b86e471e033b92145d6c7cc77c58 (diff) |
upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/readconf.c b/readconf.c index f78b4d6fe..f18194580 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.310 2019/10/31 21:18:28 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -174,6 +174,7 @@ typedef enum { | |||
174 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 174 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
175 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 175 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
176 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, | 176 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
177 | oSecurityKeyProvider, | ||
177 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 178 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
178 | } OpCodes; | 179 | } OpCodes; |
179 | 180 | ||
@@ -214,6 +215,7 @@ static struct { | |||
214 | { "smartcarddevice", oUnsupported }, | 215 | { "smartcarddevice", oUnsupported }, |
215 | { "pkcs11provider", oUnsupported }, | 216 | { "pkcs11provider", oUnsupported }, |
216 | #endif | 217 | #endif |
218 | { "securitykeyprovider", oSecurityKeyProvider }, | ||
217 | { "rsaauthentication", oUnsupported }, | 219 | { "rsaauthentication", oUnsupported }, |
218 | { "rhostsrsaauthentication", oUnsupported }, | 220 | { "rhostsrsaauthentication", oUnsupported }, |
219 | { "compressionlevel", oUnsupported }, | 221 | { "compressionlevel", oUnsupported }, |
@@ -1146,6 +1148,10 @@ parse_char_array: | |||
1146 | charptr = &options->pkcs11_provider; | 1148 | charptr = &options->pkcs11_provider; |
1147 | goto parse_string; | 1149 | goto parse_string; |
1148 | 1150 | ||
1151 | case oSecurityKeyProvider: | ||
1152 | charptr = &options->sk_provider; | ||
1153 | goto parse_string; | ||
1154 | |||
1149 | case oProxyCommand: | 1155 | case oProxyCommand: |
1150 | charptr = &options->proxy_command; | 1156 | charptr = &options->proxy_command; |
1151 | /* Ignore ProxyCommand if ProxyJump already specified */ | 1157 | /* Ignore ProxyCommand if ProxyJump already specified */ |
@@ -1906,6 +1912,7 @@ initialize_options(Options * options) | |||
1906 | options->bind_address = NULL; | 1912 | options->bind_address = NULL; |
1907 | options->bind_interface = NULL; | 1913 | options->bind_interface = NULL; |
1908 | options->pkcs11_provider = NULL; | 1914 | options->pkcs11_provider = NULL; |
1915 | options->sk_provider = NULL; | ||
1909 | options->enable_ssh_keysign = - 1; | 1916 | options->enable_ssh_keysign = - 1; |
1910 | options->no_host_authentication_for_localhost = - 1; | 1917 | options->no_host_authentication_for_localhost = - 1; |
1911 | options->identities_only = - 1; | 1918 | options->identities_only = - 1; |
@@ -2043,6 +2050,8 @@ fill_default_options(Options * options) | |||
2043 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); | 2050 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); |
2044 | #ifdef OPENSSL_HAS_ECC | 2051 | #ifdef OPENSSL_HAS_ECC |
2045 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); | 2052 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); |
2053 | add_identity_file(options, "~/", | ||
2054 | _PATH_SSH_CLIENT_ID_ECDSA_SK, 0); | ||
2046 | #endif | 2055 | #endif |
2047 | add_identity_file(options, "~/", | 2056 | add_identity_file(options, "~/", |
2048 | _PATH_SSH_CLIENT_ID_ED25519, 0); | 2057 | _PATH_SSH_CLIENT_ID_ED25519, 0); |
@@ -2118,6 +2127,8 @@ fill_default_options(Options * options) | |||
2118 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 2127 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
2119 | if (options->update_hostkeys == -1) | 2128 | if (options->update_hostkeys == -1) |
2120 | options->update_hostkeys = 0; | 2129 | options->update_hostkeys = 0; |
2130 | if (options->sk_provider == NULL) | ||
2131 | options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); | ||
2121 | 2132 | ||
2122 | /* Expand KEX name lists */ | 2133 | /* Expand KEX name lists */ |
2123 | all_cipher = cipher_alg_list(',', 0); | 2134 | all_cipher = cipher_alg_list(',', 0); |
@@ -2135,7 +2146,7 @@ fill_default_options(Options * options) | |||
2135 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2146 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); |
2136 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2147 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); |
2137 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2148 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
2138 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2149 | ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); |
2139 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2150 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
2140 | #undef ASSEMBLE | 2151 | #undef ASSEMBLE |
2141 | free(all_cipher); | 2152 | free(all_cipher); |
@@ -2157,6 +2168,7 @@ fill_default_options(Options * options) | |||
2157 | CLEAR_ON_NONE(options->control_path); | 2168 | CLEAR_ON_NONE(options->control_path); |
2158 | CLEAR_ON_NONE(options->revoked_host_keys); | 2169 | CLEAR_ON_NONE(options->revoked_host_keys); |
2159 | CLEAR_ON_NONE(options->pkcs11_provider); | 2170 | CLEAR_ON_NONE(options->pkcs11_provider); |
2171 | CLEAR_ON_NONE(options->sk_provider); | ||
2160 | if (options->jump_host != NULL && | 2172 | if (options->jump_host != NULL && |
2161 | strcmp(options->jump_host, "none") == 0 && | 2173 | strcmp(options->jump_host, "none") == 0 && |
2162 | options->jump_port == 0 && options->jump_user == NULL) { | 2174 | options->jump_port == 0 && options->jump_user == NULL) { |
@@ -2673,6 +2685,7 @@ dump_client_config(Options *o, const char *host) | |||
2673 | #ifdef ENABLE_PKCS11 | 2685 | #ifdef ENABLE_PKCS11 |
2674 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2686 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
2675 | #endif | 2687 | #endif |
2688 | dump_cfg_string(oSecurityKeyProvider, o->sk_provider); | ||
2676 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); | 2689 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); |
2677 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); | 2690 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
2678 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); | 2691 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); |