diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-03-13 03:12:17 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-03-14 19:38:53 +1100 |
| commit | c084a2d040f160bc2b83f13297e3e3ca3f5dbac6 (patch) | |
| tree | 282b84cea2fb389cd810459fe590dcb489b055cc /ssh-keygen.c | |
| parent | 955c4cf4c6a1417c28d4e1040702c4d9bf63645b (diff) | |
upstream: when downloading FIDO2 resident keys from a token, don't
prompt for a PIN until the token has told us that it needs one. Avoids
double-prompting on devices that implement on-device authentication (e.g. a
touchscreen PIN pad on the Trezor Model T). ok dtucker@
OpenBSD-Commit-ID: 38b78903dd4422d7d3204095a31692fb69130817
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index aa4ec0655..cf8e1ba97 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.402 2020/03/06 18:29:14 markus Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.403 2020/03/13 03:12:17 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2960,18 +2960,25 @@ do_download_sk(const char *skprovider, const char *device) | |||
| 2960 | struct sshkey **keys; | 2960 | struct sshkey **keys; |
| 2961 | size_t nkeys, i; | 2961 | size_t nkeys, i; |
| 2962 | int r, ok = -1; | 2962 | int r, ok = -1; |
| 2963 | char *fp, *pin, *pass = NULL, *path, *pubpath; | 2963 | char *fp, *pin = NULL, *pass = NULL, *path, *pubpath; |
| 2964 | const char *ext; | 2964 | const char *ext; |
| 2965 | 2965 | ||
| 2966 | if (skprovider == NULL) | 2966 | if (skprovider == NULL) |
| 2967 | fatal("Cannot download keys without provider"); | 2967 | fatal("Cannot download keys without provider"); |
| 2968 | 2968 | ||
| 2969 | pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); | 2969 | for (i = 0; i < 2; i++) { |
| 2970 | if ((r = sshsk_load_resident(skprovider, device, pin, | 2970 | if (i == 1) { |
| 2971 | &keys, &nkeys)) != 0) { | 2971 | pin = read_passphrase("Enter PIN for authenticator: ", |
| 2972 | freezero(pin, strlen(pin)); | 2972 | RP_ALLOW_STDIN); |
| 2973 | error("Unable to load resident keys: %s", ssh_err(r)); | 2973 | } |
| 2974 | return -1; | 2974 | if ((r = sshsk_load_resident(skprovider, device, pin, |
| 2975 | &keys, &nkeys)) != 0) { | ||
| 2976 | if (i == 0 && r == SSH_ERR_KEY_WRONG_PASSPHRASE) | ||
| 2977 | continue; | ||
| 2978 | freezero(pin, strlen(pin)); | ||
| 2979 | error("Unable to load resident keys: %s", ssh_err(r)); | ||
| 2980 | return -1; | ||
| 2981 | } | ||
| 2975 | } | 2982 | } |
| 2976 | if (nkeys == 0) | 2983 | if (nkeys == 0) |
| 2977 | logit("No keys to download"); | 2984 | logit("No keys to download"); |