upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
author: djm@openbsd.org <djm@openbsd.org> 2019-11-25 00:54:23 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-25 12:23:40 +1100
commit: 2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree: b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /sshd.8
parent: 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/sshd.8 b/sshd.8
index 042610a03..b32da282f 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $
-.Dd $Mdocdate: November 18 2019 $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -627,6 +627,13 @@ option.
 Permits tty allocation previously disabled by the
 .Cm restrict
 option.
+.It Cm no-touch-required
+Do not require demonstration of user presence
+for signatures made using this key.
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
 .It Cm restrict
 Enable all restrictions, i.e. disable port, agent and X11 forwarding,
 as well as disabling PTY allocation
@@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
 user@example.net
 restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
 user@example.net
+no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
+user@example.net
 .Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The
author	djm@openbsd.org <djm@openbsd.org>	2019-11-25 00:54:23 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-25 12:23:40 +1100
commit	2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree	b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /sshd.8
parent	0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)

diff --git a/sshd.8 b/sshd.8 index 042610a03..b32da282f 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $
37	.Dd $Mdocdate: November 18 2019 $	37	.Dd $Mdocdate: November 25 2019 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -627,6 +627,13 @@ option.
627	Permits tty allocation previously disabled by the	627	Permits tty allocation previously disabled by the
628	.Cm restrict	628	.Cm restrict
629	option.	629	option.
		630	.It Cm no-touch-required
		631	Do not require demonstration of user presence
		632	for signatures made using this key.
		633	This option only makes sense for the Security Key algorithms
		634	.Cm ecdsa-sk
		635	and
		636	.Cm ed25519-sk .
630	.It Cm restrict	637	.It Cm restrict
631	Enable all restrictions, i.e. disable port, agent and X11 forwarding,	638	Enable all restrictions, i.e. disable port, agent and X11 forwarding,
632	as well as disabling PTY allocation	639	as well as disabling PTY allocation
@@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
670	user@example.net	677	user@example.net
671	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==	678	restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
672	user@example.net	679	user@example.net
		680	no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
		681	user@example.net
673	.Ed	682	.Ed
674	.Sh SSH_KNOWN_HOSTS FILE FORMAT	683	.Sh SSH_KNOWN_HOSTS FILE FORMAT
675	The	684	The