summaryrefslogtreecommitdiff
path: root/ssh-add.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-08-31 04:33:17 +0000
committerDamien Miller <djm@mindrot.org>2020-08-31 14:34:41 +1000
commit785f0f315bf7ac5909e988bb1ac3e019fb5e1594 (patch)
tree557a9faa23b6724a7378ed1a8a0b2f0fddd387b7 /ssh-add.c
parent39e88aeff9c7cb6862b37ad1a87a03ebbb38c233 (diff)
upstream: refuse to add verify-required (PINful) FIDO keys to
ssh-agent until the agent supports them properly OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
Diffstat (limited to 'ssh-add.c')
-rw-r--r--ssh-add.c23
1 files changed, 16 insertions, 7 deletions
diff --git a/ssh-add.c b/ssh-add.c
index 931197474..936dc2128 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.156 2020/06/26 05:04:07 djm Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.157 2020/08/31 04:33:17 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -67,6 +67,7 @@
67#include "ssherr.h" 67#include "ssherr.h"
68#include "digest.h" 68#include "digest.h"
69#include "ssh-sk.h" 69#include "ssh-sk.h"
70#include "sk-api.h"
70 71
71/* argv0 */ 72/* argv0 */
72extern char *__progname; 73extern char *__progname;
@@ -348,12 +349,20 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag,
348 ssh_free_identitylist(idlist); 349 ssh_free_identitylist(idlist);
349 } 350 }
350 351
351 if (!sshkey_is_sk(private)) 352 if (sshkey_is_sk(private)) {
352 skprovider = NULL; /* Don't send constraint for other keys */ 353 if (skprovider == NULL) {
353 else if (skprovider == NULL) { 354 fprintf(stderr, "Cannot load FIDO key %s "
354 fprintf(stderr, "Cannot load authenticator-hosted key %s " 355 "without provider\n", filename);
355 "without provider\n", filename); 356 goto out;
356 goto out; 357 }
358 if ((private->sk_flags & SSH_SK_USER_VERIFICATION_REQD) != 0) {
359 fprintf(stderr, "FIDO verify-required key %s is not "
360 "currently supported by ssh-agent\n", filename);
361 goto out;
362 }
363 } else {
364 /* Don't send provider constraint for other keys */
365 skprovider = NULL;
357 } 366 }
358 367
359 if ((r = ssh_add_identity_constrained(agent_fd, private, comment, 368 if ((r = ssh_add_identity_constrained(agent_fd, private, comment,