diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-15 18:57:30 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-16 14:19:41 +1100 |
| commit | 56584cce75f3d20aaa30befc7cbd331d922927f3 (patch) | |
| tree | d3e9c2b7c9104b6528758b19eb7fa56dae2fcea6 /servconf.c | |
| parent | 5af6fd5461bb709304e6979c8b7856c7af921c9e (diff) | |
upstream: allow security keys to act as host keys as well as user
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c index 1f3beab4a..30cd59840 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.355 2019/12/15 18:57:30 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options) | |||
| 171 | options->authorized_keys_command = NULL; | 171 | options->authorized_keys_command = NULL; |
| 172 | options->authorized_keys_command_user = NULL; | 172 | options->authorized_keys_command_user = NULL; |
| 173 | options->revoked_keys_file = NULL; | 173 | options->revoked_keys_file = NULL; |
| 174 | options->sk_provider = NULL; | ||
| 174 | options->trusted_user_ca_keys = NULL; | 175 | options->trusted_user_ca_keys = NULL; |
| 175 | options->authorized_principals_file = NULL; | 176 | options->authorized_principals_file = NULL; |
| 176 | options->authorized_principals_command = NULL; | 177 | options->authorized_principals_command = NULL; |
| @@ -211,7 +212,7 @@ assemble_algorithms(ServerOptions *o) | |||
| 211 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | 212 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); |
| 212 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); | 213 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); |
| 213 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 214 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
| 214 | ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); | 215 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); |
| 215 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 216 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
| 216 | #undef ASSEMBLE | 217 | #undef ASSEMBLE |
| 217 | free(all_cipher); | 218 | free(all_cipher); |
| @@ -428,6 +429,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 428 | options->disable_forwarding = 0; | 429 | options->disable_forwarding = 0; |
| 429 | if (options->expose_userauth_info == -1) | 430 | if (options->expose_userauth_info == -1) |
| 430 | options->expose_userauth_info = 0; | 431 | options->expose_userauth_info = 0; |
| 432 | if (options->sk_provider == NULL) | ||
| 433 | options->sk_provider = xstrdup("internal"); | ||
| 431 | 434 | ||
| 432 | assemble_algorithms(options); | 435 | assemble_algorithms(options); |
| 433 | 436 | ||
| @@ -447,6 +450,7 @@ fill_default_server_options(ServerOptions *options) | |||
| 447 | CLEAR_ON_NONE(options->banner); | 450 | CLEAR_ON_NONE(options->banner); |
| 448 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 451 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
| 449 | CLEAR_ON_NONE(options->revoked_keys_file); | 452 | CLEAR_ON_NONE(options->revoked_keys_file); |
| 453 | CLEAR_ON_NONE(options->sk_provider); | ||
| 450 | CLEAR_ON_NONE(options->authorized_principals_file); | 454 | CLEAR_ON_NONE(options->authorized_principals_file); |
| 451 | CLEAR_ON_NONE(options->adm_forced_command); | 455 | CLEAR_ON_NONE(options->adm_forced_command); |
| 452 | CLEAR_ON_NONE(options->chroot_directory); | 456 | CLEAR_ON_NONE(options->chroot_directory); |
| @@ -512,7 +516,7 @@ typedef enum { | |||
| 512 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 516 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
| 513 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 517 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
| 514 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 518 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
| 515 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, | 519 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
| 516 | sDeprecated, sIgnore, sUnsupported | 520 | sDeprecated, sIgnore, sUnsupported |
| 517 | } ServerOpCodes; | 521 | } ServerOpCodes; |
| 518 | 522 | ||
| @@ -662,6 +666,7 @@ static struct { | |||
| 662 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 666 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
| 663 | { "rdomain", sRDomain, SSHCFG_ALL }, | 667 | { "rdomain", sRDomain, SSHCFG_ALL }, |
| 664 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | 668 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
| 669 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, | ||
| 665 | { NULL, sBadOption, 0 } | 670 | { NULL, sBadOption, 0 } |
| 666 | }; | 671 | }; |
| 667 | 672 | ||
| @@ -2025,6 +2030,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 2025 | charptr = &options->revoked_keys_file; | 2030 | charptr = &options->revoked_keys_file; |
| 2026 | goto parse_filename; | 2031 | goto parse_filename; |
| 2027 | 2032 | ||
| 2033 | case sSecurityKeyProvider: | ||
| 2034 | charptr = &options->sk_provider; | ||
| 2035 | goto parse_filename; | ||
| 2036 | |||
| 2028 | case sIPQoS: | 2037 | case sIPQoS: |
| 2029 | arg = strdelim(&cp); | 2038 | arg = strdelim(&cp); |
| 2030 | if ((value = parse_ipqos(arg)) == -1) | 2039 | if ((value = parse_ipqos(arg)) == -1) |
| @@ -2646,6 +2655,7 @@ dump_config(ServerOptions *o) | |||
| 2646 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2655 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
| 2647 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); | 2656 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); |
| 2648 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); | 2657 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); |
| 2658 | dump_cfg_string(sSecurityKeyProvider, o->sk_provider); | ||
| 2649 | dump_cfg_string(sAuthorizedPrincipalsFile, | 2659 | dump_cfg_string(sAuthorizedPrincipalsFile, |
| 2650 | o->authorized_principals_file); | 2660 | o->authorized_principals_file); |
| 2651 | dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' | 2661 | dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' |
| @@ -2664,7 +2674,7 @@ dump_config(ServerOptions *o) | |||
| 2664 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | 2674 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? |
| 2665 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | 2675 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); |
| 2666 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | 2676 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? |
| 2667 | o->pubkey_key_types : PUBKEY_DEFAULT_PK_ALG); | 2677 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); |
| 2668 | dump_cfg_string(sRDomain, o->routing_domain); | 2678 | dump_cfg_string(sRDomain, o->routing_domain); |
| 2669 | 2679 | ||
| 2670 | /* string arguments requiring a lookup */ | 2680 | /* string arguments requiring a lookup */ |