diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:54:23 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
commit | 2e71263b80fec7ad977e098004fef7d122169d40 (patch) | |
tree | b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /sshd.8 | |
parent | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff) |
upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.
feedback deraadt, ok markus
OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $ |
37 | .Dd $Mdocdate: November 18 2019 $ | 37 | .Dd $Mdocdate: November 25 2019 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -627,6 +627,13 @@ option. | |||
627 | Permits tty allocation previously disabled by the | 627 | Permits tty allocation previously disabled by the |
628 | .Cm restrict | 628 | .Cm restrict |
629 | option. | 629 | option. |
630 | .It Cm no-touch-required | ||
631 | Do not require demonstration of user presence | ||
632 | for signatures made using this key. | ||
633 | This option only makes sense for the Security Key algorithms | ||
634 | .Cm ecdsa-sk | ||
635 | and | ||
636 | .Cm ed25519-sk . | ||
630 | .It Cm restrict | 637 | .It Cm restrict |
631 | Enable all restrictions, i.e. disable port, agent and X11 forwarding, | 638 | Enable all restrictions, i.e. disable port, agent and X11 forwarding, |
632 | as well as disabling PTY allocation | 639 | as well as disabling PTY allocation |
@@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | |||
670 | user@example.net | 677 | user@example.net |
671 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | 678 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== |
672 | user@example.net | 679 | user@example.net |
680 | no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== | ||
681 | user@example.net | ||
673 | .Ed | 682 | .Ed |
674 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 683 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
675 | The | 684 | The |