diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-08-31 04:33:17 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-08-31 14:34:41 +1000 |
commit | 785f0f315bf7ac5909e988bb1ac3e019fb5e1594 (patch) | |
tree | 557a9faa23b6724a7378ed1a8a0b2f0fddd387b7 /ssh-add.c | |
parent | 39e88aeff9c7cb6862b37ad1a87a03ebbb38c233 (diff) |
upstream: refuse to add verify-required (PINful) FIDO keys to
ssh-agent until the agent supports them properly
OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
Diffstat (limited to 'ssh-add.c')
-rw-r--r-- | ssh-add.c | 23 |
1 files changed, 16 insertions, 7 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-add.c,v 1.156 2020/06/26 05:04:07 djm Exp $ */ | 1 | /* $OpenBSD: ssh-add.c,v 1.157 2020/08/31 04:33:17 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -67,6 +67,7 @@ | |||
67 | #include "ssherr.h" | 67 | #include "ssherr.h" |
68 | #include "digest.h" | 68 | #include "digest.h" |
69 | #include "ssh-sk.h" | 69 | #include "ssh-sk.h" |
70 | #include "sk-api.h" | ||
70 | 71 | ||
71 | /* argv0 */ | 72 | /* argv0 */ |
72 | extern char *__progname; | 73 | extern char *__progname; |
@@ -348,12 +349,20 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, | |||
348 | ssh_free_identitylist(idlist); | 349 | ssh_free_identitylist(idlist); |
349 | } | 350 | } |
350 | 351 | ||
351 | if (!sshkey_is_sk(private)) | 352 | if (sshkey_is_sk(private)) { |
352 | skprovider = NULL; /* Don't send constraint for other keys */ | 353 | if (skprovider == NULL) { |
353 | else if (skprovider == NULL) { | 354 | fprintf(stderr, "Cannot load FIDO key %s " |
354 | fprintf(stderr, "Cannot load authenticator-hosted key %s " | 355 | "without provider\n", filename); |
355 | "without provider\n", filename); | 356 | goto out; |
356 | goto out; | 357 | } |
358 | if ((private->sk_flags & SSH_SK_USER_VERIFICATION_REQD) != 0) { | ||
359 | fprintf(stderr, "FIDO verify-required key %s is not " | ||
360 | "currently supported by ssh-agent\n", filename); | ||
361 | goto out; | ||
362 | } | ||
363 | } else { | ||
364 | /* Don't send provider constraint for other keys */ | ||
365 | skprovider = NULL; | ||
357 | } | 366 | } |
358 | 367 | ||
359 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, | 368 | if ((r = ssh_add_identity_constrained(agent_fd, private, comment, |