diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-15 18:57:30 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-16 14:19:41 +1100 |
commit | 56584cce75f3d20aaa30befc7cbd331d922927f3 (patch) | |
tree | d3e9c2b7c9104b6528758b19eb7fa56dae2fcea6 /servconf.c | |
parent | 5af6fd5461bb709304e6979c8b7856c7af921c9e (diff) |
upstream: allow security keys to act as host keys as well as user
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c index 1f3beab4a..30cd59840 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.355 2019/12/15 18:57:30 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options) | |||
171 | options->authorized_keys_command = NULL; | 171 | options->authorized_keys_command = NULL; |
172 | options->authorized_keys_command_user = NULL; | 172 | options->authorized_keys_command_user = NULL; |
173 | options->revoked_keys_file = NULL; | 173 | options->revoked_keys_file = NULL; |
174 | options->sk_provider = NULL; | ||
174 | options->trusted_user_ca_keys = NULL; | 175 | options->trusted_user_ca_keys = NULL; |
175 | options->authorized_principals_file = NULL; | 176 | options->authorized_principals_file = NULL; |
176 | options->authorized_principals_command = NULL; | 177 | options->authorized_principals_command = NULL; |
@@ -211,7 +212,7 @@ assemble_algorithms(ServerOptions *o) | |||
211 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | 212 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); |
212 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); | 213 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); |
213 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 214 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
214 | ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); | 215 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); |
215 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 216 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
216 | #undef ASSEMBLE | 217 | #undef ASSEMBLE |
217 | free(all_cipher); | 218 | free(all_cipher); |
@@ -428,6 +429,8 @@ fill_default_server_options(ServerOptions *options) | |||
428 | options->disable_forwarding = 0; | 429 | options->disable_forwarding = 0; |
429 | if (options->expose_userauth_info == -1) | 430 | if (options->expose_userauth_info == -1) |
430 | options->expose_userauth_info = 0; | 431 | options->expose_userauth_info = 0; |
432 | if (options->sk_provider == NULL) | ||
433 | options->sk_provider = xstrdup("internal"); | ||
431 | 434 | ||
432 | assemble_algorithms(options); | 435 | assemble_algorithms(options); |
433 | 436 | ||
@@ -447,6 +450,7 @@ fill_default_server_options(ServerOptions *options) | |||
447 | CLEAR_ON_NONE(options->banner); | 450 | CLEAR_ON_NONE(options->banner); |
448 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 451 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
449 | CLEAR_ON_NONE(options->revoked_keys_file); | 452 | CLEAR_ON_NONE(options->revoked_keys_file); |
453 | CLEAR_ON_NONE(options->sk_provider); | ||
450 | CLEAR_ON_NONE(options->authorized_principals_file); | 454 | CLEAR_ON_NONE(options->authorized_principals_file); |
451 | CLEAR_ON_NONE(options->adm_forced_command); | 455 | CLEAR_ON_NONE(options->adm_forced_command); |
452 | CLEAR_ON_NONE(options->chroot_directory); | 456 | CLEAR_ON_NONE(options->chroot_directory); |
@@ -512,7 +516,7 @@ typedef enum { | |||
512 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 516 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
513 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 517 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
514 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 518 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
515 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, | 519 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
516 | sDeprecated, sIgnore, sUnsupported | 520 | sDeprecated, sIgnore, sUnsupported |
517 | } ServerOpCodes; | 521 | } ServerOpCodes; |
518 | 522 | ||
@@ -662,6 +666,7 @@ static struct { | |||
662 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 666 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
663 | { "rdomain", sRDomain, SSHCFG_ALL }, | 667 | { "rdomain", sRDomain, SSHCFG_ALL }, |
664 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | 668 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
669 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, | ||
665 | { NULL, sBadOption, 0 } | 670 | { NULL, sBadOption, 0 } |
666 | }; | 671 | }; |
667 | 672 | ||
@@ -2025,6 +2030,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
2025 | charptr = &options->revoked_keys_file; | 2030 | charptr = &options->revoked_keys_file; |
2026 | goto parse_filename; | 2031 | goto parse_filename; |
2027 | 2032 | ||
2033 | case sSecurityKeyProvider: | ||
2034 | charptr = &options->sk_provider; | ||
2035 | goto parse_filename; | ||
2036 | |||
2028 | case sIPQoS: | 2037 | case sIPQoS: |
2029 | arg = strdelim(&cp); | 2038 | arg = strdelim(&cp); |
2030 | if ((value = parse_ipqos(arg)) == -1) | 2039 | if ((value = parse_ipqos(arg)) == -1) |
@@ -2646,6 +2655,7 @@ dump_config(ServerOptions *o) | |||
2646 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2655 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
2647 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); | 2656 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); |
2648 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); | 2657 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); |
2658 | dump_cfg_string(sSecurityKeyProvider, o->sk_provider); | ||
2649 | dump_cfg_string(sAuthorizedPrincipalsFile, | 2659 | dump_cfg_string(sAuthorizedPrincipalsFile, |
2650 | o->authorized_principals_file); | 2660 | o->authorized_principals_file); |
2651 | dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' | 2661 | dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' |
@@ -2664,7 +2674,7 @@ dump_config(ServerOptions *o) | |||
2664 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | 2674 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? |
2665 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | 2675 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); |
2666 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | 2676 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? |
2667 | o->pubkey_key_types : PUBKEY_DEFAULT_PK_ALG); | 2677 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); |
2668 | dump_cfg_string(sRDomain, o->routing_domain); | 2678 | dump_cfg_string(sRDomain, o->routing_domain); |
2669 | 2679 | ||
2670 | /* string arguments requiring a lookup */ | 2680 | /* string arguments requiring a lookup */ |