diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:49:52 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-30 21:02:29 +1100 |
| commit | 3093d12ff80927cf45da08d9f262a26680fb14ee (patch) | |
| tree | ab91da4fce3c19c5518e03dd6db6202d75455f86 /ssh-keygen.c | |
| parent | ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d (diff) | |
upstream: Remove the -x option currently used for
FIDO/U2F-specific key flags. Instead these flags may be specified via -O.
ok markus@
OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 45 |
1 files changed, 22 insertions, 23 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 696891e0e..3640a3c37 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2932,7 +2932,7 @@ main(int argc, char **argv) | |||
| 2932 | int prefer_agent = 0, convert_to = 0, convert_from = 0; | 2932 | int prefer_agent = 0, convert_to = 0, convert_from = 0; |
| 2933 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; | 2933 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; |
| 2934 | int do_gen_candidates = 0, do_screen_candidates = 0; | 2934 | int do_gen_candidates = 0, do_screen_candidates = 0; |
| 2935 | unsigned long long ull, cert_serial = 0; | 2935 | unsigned long long cert_serial = 0; |
| 2936 | char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; | 2936 | char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
| 2937 | size_t i, nopts = 0; | 2937 | size_t i, nopts = 0; |
| 2938 | u_int32_t bits = 0; | 2938 | u_int32_t bits = 0; |
| @@ -2965,10 +2965,10 @@ main(int argc, char **argv) | |||
| 2965 | 2965 | ||
| 2966 | sk_provider = getenv("SSH_SK_PROVIDER"); | 2966 | sk_provider = getenv("SSH_SK_PROVIDER"); |
| 2967 | 2967 | ||
| 2968 | /* Remaining characters: dGjJKSTW */ | 2968 | /* Remaining characters: dGjJKSTWx */ |
| 2969 | while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" | 2969 | while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" |
| 2970 | "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" | 2970 | "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" |
| 2971 | "a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) { | 2971 | "a:b:f:g:m:n:r:s:t:w:z:")) != -1) { |
| 2972 | switch (opt) { | 2972 | switch (opt) { |
| 2973 | case 'A': | 2973 | case 'A': |
| 2974 | gen_all_hostkeys = 1; | 2974 | gen_all_hostkeys = 1; |
| @@ -3130,25 +3130,6 @@ main(int argc, char **argv) | |||
| 3130 | case 'w': | 3130 | case 'w': |
| 3131 | sk_provider = optarg; | 3131 | sk_provider = optarg; |
| 3132 | break; | 3132 | break; |
| 3133 | case 'x': | ||
| 3134 | if (*optarg == '\0') | ||
| 3135 | fatal("Missing security key flags"); | ||
| 3136 | if (strcasecmp(optarg, "no-touch-required") == 0) | ||
| 3137 | sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; | ||
| 3138 | else if (strcasecmp(optarg, "resident") == 0) | ||
| 3139 | sk_flags |= SSH_SK_RESIDENT_KEY; | ||
| 3140 | else { | ||
| 3141 | ull = strtoull(optarg, &ep, 0); | ||
| 3142 | if (*ep != '\0') | ||
| 3143 | fatal("Security key flags \"%s\" is " | ||
| 3144 | "not a number", optarg); | ||
| 3145 | if (ull > 0xff) { | ||
| 3146 | fatal("Invalid security key " | ||
| 3147 | "flags 0x%llx", ull); | ||
| 3148 | } | ||
| 3149 | sk_flags = (uint8_t)ull; | ||
| 3150 | } | ||
| 3151 | break; | ||
| 3152 | case 'z': | 3133 | case 'z': |
| 3153 | errno = 0; | 3134 | errno = 0; |
| 3154 | if (*optarg == '+') { | 3135 | if (*optarg == '+') { |
| @@ -3361,6 +3342,20 @@ main(int argc, char **argv) | |||
| 3361 | switch (type) { | 3342 | switch (type) { |
| 3362 | case KEY_ECDSA_SK: | 3343 | case KEY_ECDSA_SK: |
| 3363 | case KEY_ED25519_SK: | 3344 | case KEY_ED25519_SK: |
| 3345 | for (i = 0; i < nopts; i++) { | ||
| 3346 | if (strcasecmp(opts[i], "no-touch-required") == 0) { | ||
| 3347 | sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; | ||
| 3348 | } else if (strcasecmp(opts[i], "resident") == 0) { | ||
| 3349 | sk_flags |= SSH_SK_RESIDENT_KEY; | ||
| 3350 | } else { | ||
| 3351 | fatal("Option \"%s\" is unsupported for " | ||
| 3352 | "FIDO authenticator enrollment", opts[i]); | ||
| 3353 | } | ||
| 3354 | } | ||
| 3355 | if (!quiet) { | ||
| 3356 | printf("You may need to touch your security key " | ||
| 3357 | "to authorize key generation.\n"); | ||
| 3358 | } | ||
| 3364 | passphrase1 = NULL; | 3359 | passphrase1 = NULL; |
| 3365 | for (i = 0 ; i < 3; i++) { | 3360 | for (i = 0 ; i < 3; i++) { |
| 3366 | if (!quiet) { | 3361 | if (!quiet) { |
| @@ -3375,9 +3370,13 @@ main(int argc, char **argv) | |||
| 3375 | break; | 3370 | break; |
| 3376 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) | 3371 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
| 3377 | exit(1); /* error message already printed */ | 3372 | exit(1); /* error message already printed */ |
| 3373 | if (passphrase1 != NULL) | ||
| 3374 | freezero(passphrase1, strlen(passphrase1)); | ||
| 3378 | passphrase1 = read_passphrase("Enter PIN for security " | 3375 | passphrase1 = read_passphrase("Enter PIN for security " |
| 3379 | "key: ", RP_ALLOW_STDIN); | 3376 | "key: ", RP_ALLOW_STDIN); |
| 3380 | } | 3377 | } |
| 3378 | if (passphrase1 != NULL) | ||
| 3379 | freezero(passphrase1, strlen(passphrase1)); | ||
| 3381 | if (i > 3) | 3380 | if (i > 3) |
| 3382 | fatal("Too many incorrect PINs"); | 3381 | fatal("Too many incorrect PINs"); |
| 3383 | break; | 3382 | break; |