diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-10 22:37:20 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-11 19:08:22 +1100 |
| commit | 516605f2d596884cedc2beed6b262716ec76f63d (patch) | |
| tree | 8f255c66cb2dcd7b795e14cc735607365c18b575 /ssh-keygen.c | |
| parent | c4036fe75ea5a4d03a2a40be1f3660dcbbfa01b2 (diff) | |
upstream: when acting as a CA and using a security key as the CA
key, remind the user to touch they key to authorise the signature.
OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index a5d09c2a1..e90b85ffa 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.373 2019/11/25 00:57:27 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -1735,10 +1735,12 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | |||
| 1735 | int r, i, fd, found, agent_fd = -1; | 1735 | int r, i, fd, found, agent_fd = -1; |
| 1736 | u_int n; | 1736 | u_int n; |
| 1737 | struct sshkey *ca, *public; | 1737 | struct sshkey *ca, *public; |
| 1738 | char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; | 1738 | char valid[64], *otmp, *tmp, *cp, *out, *comment; |
| 1739 | char *ca_fp = NULL, **plist = NULL; | ||
| 1739 | FILE *f; | 1740 | FILE *f; |
| 1740 | struct ssh_identitylist *agent_ids; | 1741 | struct ssh_identitylist *agent_ids; |
| 1741 | size_t j; | 1742 | size_t j; |
| 1743 | struct notifier_ctx *notifier = NULL; | ||
| 1742 | 1744 | ||
| 1743 | #ifdef ENABLE_PKCS11 | 1745 | #ifdef ENABLE_PKCS11 |
| 1744 | pkcs11_init(1); | 1746 | pkcs11_init(1); |
| @@ -1784,6 +1786,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | |||
| 1784 | fatal("CA key type %s doesn't match specified %s", | 1786 | fatal("CA key type %s doesn't match specified %s", |
| 1785 | sshkey_ssh_name(ca), key_type_name); | 1787 | sshkey_ssh_name(ca), key_type_name); |
| 1786 | } | 1788 | } |
| 1789 | ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT); | ||
| 1787 | 1790 | ||
| 1788 | for (i = 0; i < argc; i++) { | 1791 | for (i = 0; i < argc; i++) { |
| 1789 | /* Split list of principals */ | 1792 | /* Split list of principals */ |
| @@ -1834,8 +1837,16 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | |||
| 1834 | fatal("Couldn't certify key %s via agent: %s", | 1837 | fatal("Couldn't certify key %s via agent: %s", |
| 1835 | tmp, ssh_err(r)); | 1838 | tmp, ssh_err(r)); |
| 1836 | } else { | 1839 | } else { |
| 1837 | if ((r = sshkey_certify(public, ca, key_type_name, | 1840 | if (sshkey_is_sk(ca) && |
| 1838 | sk_provider)) != 0) | 1841 | (ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { |
| 1842 | notifier = notify_start(0, | ||
| 1843 | "Confirm user presence for key %s %s", | ||
| 1844 | sshkey_type(ca), ca_fp); | ||
| 1845 | } | ||
| 1846 | r = sshkey_certify(public, ca, key_type_name, | ||
| 1847 | sk_provider); | ||
| 1848 | notify_complete(notifier); | ||
| 1849 | if (r != 0) | ||
| 1839 | fatal("Couldn't certify key %s: %s", | 1850 | fatal("Couldn't certify key %s: %s", |
| 1840 | tmp, ssh_err(r)); | 1851 | tmp, ssh_err(r)); |
| 1841 | } | 1852 | } |
| @@ -1873,6 +1884,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | |||
| 1873 | if (cert_serial_autoinc) | 1884 | if (cert_serial_autoinc) |
| 1874 | cert_serial++; | 1885 | cert_serial++; |
| 1875 | } | 1886 | } |
| 1887 | free(ca_fp); | ||
| 1876 | #ifdef ENABLE_PKCS11 | 1888 | #ifdef ENABLE_PKCS11 |
| 1877 | pkcs11_terminate(); | 1889 | pkcs11_terminate(); |
| 1878 | #endif | 1890 | #endif |