diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:52:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
commit | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch) | |
tree | d7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /servconf.c | |
parent | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff) |
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c index e2f44d38d..1f3beab4a 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.353 2019/10/31 21:17:49 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -118,6 +118,7 @@ initialize_server_options(ServerOptions *options) | |||
118 | options->hostbased_key_types = NULL; | 118 | options->hostbased_key_types = NULL; |
119 | options->hostkeyalgorithms = NULL; | 119 | options->hostkeyalgorithms = NULL; |
120 | options->pubkey_authentication = -1; | 120 | options->pubkey_authentication = -1; |
121 | options->pubkey_auth_options = -1; | ||
121 | options->pubkey_key_types = NULL; | 122 | options->pubkey_key_types = NULL; |
122 | options->kerberos_authentication = -1; | 123 | options->kerberos_authentication = -1; |
123 | options->kerberos_or_local_passwd = -1; | 124 | options->kerberos_or_local_passwd = -1; |
@@ -341,6 +342,8 @@ fill_default_server_options(ServerOptions *options) | |||
341 | options->hostbased_uses_name_from_packet_only = 0; | 342 | options->hostbased_uses_name_from_packet_only = 0; |
342 | if (options->pubkey_authentication == -1) | 343 | if (options->pubkey_authentication == -1) |
343 | options->pubkey_authentication = 1; | 344 | options->pubkey_authentication = 1; |
345 | if (options->pubkey_auth_options == -1) | ||
346 | options->pubkey_auth_options = 0; | ||
344 | if (options->kerberos_authentication == -1) | 347 | if (options->kerberos_authentication == -1) |
345 | options->kerberos_authentication = 0; | 348 | options->kerberos_authentication = 0; |
346 | if (options->kerberos_or_local_passwd == -1) | 349 | if (options->kerberos_or_local_passwd == -1) |
@@ -509,7 +512,7 @@ typedef enum { | |||
509 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 512 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
510 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 513 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
511 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 514 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
512 | sExposeAuthInfo, sRDomain, | 515 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, |
513 | sDeprecated, sIgnore, sUnsupported | 516 | sDeprecated, sIgnore, sUnsupported |
514 | } ServerOpCodes; | 517 | } ServerOpCodes; |
515 | 518 | ||
@@ -551,6 +554,7 @@ static struct { | |||
551 | { "rsaauthentication", sDeprecated, SSHCFG_ALL }, | 554 | { "rsaauthentication", sDeprecated, SSHCFG_ALL }, |
552 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, | 555 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
553 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, | 556 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, |
557 | { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL }, | ||
554 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ | 558 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ |
555 | #ifdef KRB5 | 559 | #ifdef KRB5 |
556 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, | 560 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, |
@@ -1468,6 +1472,24 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1468 | charptr = &options->pubkey_key_types; | 1472 | charptr = &options->pubkey_key_types; |
1469 | goto parse_keytypes; | 1473 | goto parse_keytypes; |
1470 | 1474 | ||
1475 | case sPubkeyAuthOptions: | ||
1476 | intptr = &options->pubkey_auth_options; | ||
1477 | value = 0; | ||
1478 | while ((arg = strdelim(&cp)) && *arg != '\0') { | ||
1479 | if (strcasecmp(arg, "none") == 0) | ||
1480 | continue; | ||
1481 | if (strcasecmp(arg, "touch-required") == 0) | ||
1482 | value |= PUBKEYAUTH_TOUCH_REQUIRED; | ||
1483 | else { | ||
1484 | fatal("%s line %d: unsupported " | ||
1485 | "PubkeyAuthOptions option %s", | ||
1486 | filename, linenum, arg); | ||
1487 | } | ||
1488 | } | ||
1489 | if (*activep && *intptr == -1) | ||
1490 | *intptr = value; | ||
1491 | break; | ||
1492 | |||
1471 | case sKerberosAuthentication: | 1493 | case sKerberosAuthentication: |
1472 | intptr = &options->kerberos_authentication; | 1494 | intptr = &options->kerberos_authentication; |
1473 | goto parse_flag; | 1495 | goto parse_flag; |
@@ -2290,6 +2312,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2290 | M_CP_INTOPT(password_authentication); | 2312 | M_CP_INTOPT(password_authentication); |
2291 | M_CP_INTOPT(gss_authentication); | 2313 | M_CP_INTOPT(gss_authentication); |
2292 | M_CP_INTOPT(pubkey_authentication); | 2314 | M_CP_INTOPT(pubkey_authentication); |
2315 | M_CP_INTOPT(pubkey_auth_options); | ||
2293 | M_CP_INTOPT(kerberos_authentication); | 2316 | M_CP_INTOPT(kerberos_authentication); |
2294 | M_CP_INTOPT(hostbased_authentication); | 2317 | M_CP_INTOPT(hostbased_authentication); |
2295 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); | 2318 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); |
@@ -2711,4 +2734,10 @@ dump_config(ServerOptions *o) | |||
2711 | o->permit_user_env_whitelist); | 2734 | o->permit_user_env_whitelist); |
2712 | } | 2735 | } |
2713 | 2736 | ||
2737 | printf("pubkeyauthoptions"); | ||
2738 | if (o->pubkey_auth_options == 0) | ||
2739 | printf(" none"); | ||
2740 | if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED) | ||
2741 | printf(" touch-required"); | ||
2742 | printf("\n"); | ||
2714 | } | 2743 | } |