upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
author: djm@openbsd.org <djm@openbsd.org> 2019-11-25 00:54:23 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-25 12:23:40 +1100
commit: 2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree: b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /ssh-keygen.1
parent: 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index feaa69efe..06aead348 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 18 2019 $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -534,6 +534,14 @@ by
 .It Ic permit-X11-forwarding
 Allows X11 forwarding.
 .Pp
+.It Ic no-touch-required
+Do not require signatures made using this key require demonstration
+of user presence (e.g. by having the user touch the key).
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+.Pp
 .It Ic source-address Ns = Ns Ar address_list
 Restrict the source addresses from which the certificate is considered valid.
 The
author	djm@openbsd.org <djm@openbsd.org>	2019-11-25 00:54:23 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-25 12:23:40 +1100
commit	2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree	b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /ssh-keygen.1
parent	0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index feaa69efe..06aead348 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: November 18 2019 $	38	.Dd $Mdocdate: November 25 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -534,6 +534,14 @@ by
534	.It Ic permit-X11-forwarding	534	.It Ic permit-X11-forwarding
535	Allows X11 forwarding.	535	Allows X11 forwarding.
536	.Pp	536	.Pp
		537	.It Ic no-touch-required
		538	Do not require signatures made using this key require demonstration
		539	of user presence (e.g. by having the user touch the key).
		540	This option only makes sense for the Security Key algorithms
		541	.Cm ecdsa-sk
		542	and
		543	.Cm ed25519-sk .
		544	.Pp
537	.It Ic source-address Ns = Ns Ar address_list	545	.It Ic source-address Ns = Ns Ar address_list
538	Restrict the source addresses from which the certificate is considered valid.	546	Restrict the source addresses from which the certificate is considered valid.
539	The	547	The