diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-11-12 22:36:44 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-13 10:15:47 +1100 |
| commit | e44bb61824e36d0d181a08489c16c378c486a974 (patch) | |
| tree | 5993043d43eb51fe1f33d95466e01dc7bee751e2 /ssh-agent.c | |
| parent | 4671211068441519011ac0e38c588317f4157ba1 (diff) | |
upstream: security keys typically need to be tapped/touched in
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if we can.
ok markus@
OpenBSD-Commit-ID: 0ef90a99a85d4a2a07217a58efb4df8444818609
Diffstat (limited to 'ssh-agent.c')
| -rw-r--r-- | ssh-agent.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index dd9f85ae7..eb17b18b2 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-agent.c,v 1.240 2019/11/12 19:33:08 markus Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.241 2019/11/12 22:36:44 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -289,9 +289,10 @@ provider_sign(const char *provider, struct sshkey *key, | |||
| 289 | { | 289 | { |
| 290 | int status, pair[2], r = SSH_ERR_INTERNAL_ERROR; | 290 | int status, pair[2], r = SSH_ERR_INTERNAL_ERROR; |
| 291 | pid_t pid; | 291 | pid_t pid; |
| 292 | char *helper, *verbosity = NULL; | 292 | char *helper, *verbosity = NULL, *fp = NULL; |
| 293 | struct sshbuf *kbuf, *req, *resp; | 293 | struct sshbuf *kbuf, *req, *resp; |
| 294 | u_char version; | 294 | u_char version; |
| 295 | struct notifier_ctx *notifier = NULL; | ||
| 295 | 296 | ||
| 296 | debug3("%s: start for provider %s", __func__, provider); | 297 | debug3("%s: start for provider %s", __func__, provider); |
| 297 | 298 | ||
| @@ -344,10 +345,17 @@ provider_sign(const char *provider, struct sshkey *key, | |||
| 344 | error("%s: send: %s", __func__, ssh_err(r)); | 345 | error("%s: send: %s", __func__, ssh_err(r)); |
| 345 | goto out; | 346 | goto out; |
| 346 | } | 347 | } |
| 348 | if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, | ||
| 349 | SSH_FP_DEFAULT)) == NULL) | ||
| 350 | fatal("%s: sshkey_fingerprint failed", __func__); | ||
| 351 | notifier = notify_start(0, | ||
| 352 | "Confirm user presence for key %s %s", sshkey_type(key), fp); | ||
| 347 | if ((r = ssh_msg_recv(pair[0], resp)) != 0) { | 353 | if ((r = ssh_msg_recv(pair[0], resp)) != 0) { |
| 348 | error("%s: receive: %s", __func__, ssh_err(r)); | 354 | error("%s: receive: %s", __func__, ssh_err(r)); |
| 349 | goto out; | 355 | goto out; |
| 350 | } | 356 | } |
| 357 | notify_complete(notifier); | ||
| 358 | notifier = NULL; | ||
| 351 | if ((r = sshbuf_get_u8(resp, &version)) != 0) { | 359 | if ((r = sshbuf_get_u8(resp, &version)) != 0) { |
| 352 | error("%s: parse version: %s", __func__, ssh_err(r)); | 360 | error("%s: parse version: %s", __func__, ssh_err(r)); |
| 353 | goto out; | 361 | goto out; |
| @@ -375,6 +383,7 @@ provider_sign(const char *provider, struct sshkey *key, | |||
| 375 | if (errno != EINTR) | 383 | if (errno != EINTR) |
| 376 | fatal("%s: waitpid: %s", __func__, ssh_err(r)); | 384 | fatal("%s: waitpid: %s", __func__, ssh_err(r)); |
| 377 | } | 385 | } |
| 386 | notify_complete(notifier); | ||
| 378 | if (!WIFEXITED(status)) { | 387 | if (!WIFEXITED(status)) { |
| 379 | error("%s: helper %s exited abnormally", __func__, helper); | 388 | error("%s: helper %s exited abnormally", __func__, helper); |
| 380 | if (r == 0) | 389 | if (r == 0) |