summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-25 00:52:46 +0000
committerDamien Miller <djm@mindrot.org>2019-11-25 12:23:40 +1100
commit0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch)
treed7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /servconf.c
parentb7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff)
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c33
1 files changed, 31 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c
index e2f44d38d..1f3beab4a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.353 2019/10/31 21:17:49 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -118,6 +118,7 @@ initialize_server_options(ServerOptions *options)
118 options->hostbased_key_types = NULL; 118 options->hostbased_key_types = NULL;
119 options->hostkeyalgorithms = NULL; 119 options->hostkeyalgorithms = NULL;
120 options->pubkey_authentication = -1; 120 options->pubkey_authentication = -1;
121 options->pubkey_auth_options = -1;
121 options->pubkey_key_types = NULL; 122 options->pubkey_key_types = NULL;
122 options->kerberos_authentication = -1; 123 options->kerberos_authentication = -1;
123 options->kerberos_or_local_passwd = -1; 124 options->kerberos_or_local_passwd = -1;
@@ -341,6 +342,8 @@ fill_default_server_options(ServerOptions *options)
341 options->hostbased_uses_name_from_packet_only = 0; 342 options->hostbased_uses_name_from_packet_only = 0;
342 if (options->pubkey_authentication == -1) 343 if (options->pubkey_authentication == -1)
343 options->pubkey_authentication = 1; 344 options->pubkey_authentication = 1;
345 if (options->pubkey_auth_options == -1)
346 options->pubkey_auth_options = 0;
344 if (options->kerberos_authentication == -1) 347 if (options->kerberos_authentication == -1)
345 options->kerberos_authentication = 0; 348 options->kerberos_authentication = 0;
346 if (options->kerberos_or_local_passwd == -1) 349 if (options->kerberos_or_local_passwd == -1)
@@ -509,7 +512,7 @@ typedef enum {
509 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 512 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
510 sStreamLocalBindMask, sStreamLocalBindUnlink, 513 sStreamLocalBindMask, sStreamLocalBindUnlink,
511 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 514 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
512 sExposeAuthInfo, sRDomain, 515 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions,
513 sDeprecated, sIgnore, sUnsupported 516 sDeprecated, sIgnore, sUnsupported
514} ServerOpCodes; 517} ServerOpCodes;
515 518
@@ -551,6 +554,7 @@ static struct {
551 { "rsaauthentication", sDeprecated, SSHCFG_ALL }, 554 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
552 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, 555 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
553 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, 556 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
557 { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
554 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ 558 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
555#ifdef KRB5 559#ifdef KRB5
556 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, 560 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
@@ -1468,6 +1472,24 @@ process_server_config_line(ServerOptions *options, char *line,
1468 charptr = &options->pubkey_key_types; 1472 charptr = &options->pubkey_key_types;
1469 goto parse_keytypes; 1473 goto parse_keytypes;
1470 1474
1475 case sPubkeyAuthOptions:
1476 intptr = &options->pubkey_auth_options;
1477 value = 0;
1478 while ((arg = strdelim(&cp)) && *arg != '\0') {
1479 if (strcasecmp(arg, "none") == 0)
1480 continue;
1481 if (strcasecmp(arg, "touch-required") == 0)
1482 value |= PUBKEYAUTH_TOUCH_REQUIRED;
1483 else {
1484 fatal("%s line %d: unsupported "
1485 "PubkeyAuthOptions option %s",
1486 filename, linenum, arg);
1487 }
1488 }
1489 if (*activep && *intptr == -1)
1490 *intptr = value;
1491 break;
1492
1471 case sKerberosAuthentication: 1493 case sKerberosAuthentication:
1472 intptr = &options->kerberos_authentication; 1494 intptr = &options->kerberos_authentication;
1473 goto parse_flag; 1495 goto parse_flag;
@@ -2290,6 +2312,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2290 M_CP_INTOPT(password_authentication); 2312 M_CP_INTOPT(password_authentication);
2291 M_CP_INTOPT(gss_authentication); 2313 M_CP_INTOPT(gss_authentication);
2292 M_CP_INTOPT(pubkey_authentication); 2314 M_CP_INTOPT(pubkey_authentication);
2315 M_CP_INTOPT(pubkey_auth_options);
2293 M_CP_INTOPT(kerberos_authentication); 2316 M_CP_INTOPT(kerberos_authentication);
2294 M_CP_INTOPT(hostbased_authentication); 2317 M_CP_INTOPT(hostbased_authentication);
2295 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 2318 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
@@ -2711,4 +2734,10 @@ dump_config(ServerOptions *o)
2711 o->permit_user_env_whitelist); 2734 o->permit_user_env_whitelist);
2712 } 2735 }
2713 2736
2737 printf("pubkeyauthoptions");
2738 if (o->pubkey_auth_options == 0)
2739 printf(" none");
2740 if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
2741 printf(" touch-required");
2742 printf("\n");
2714} 2743}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 04:06:26 +0000