upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
author: djm@openbsd.org <djm@openbsd.org> 2020-08-27 01:07:09 +0000
committer: Damien Miller <djm@mindrot.org> 2020-08-27 11:28:36 +1000
commit: 801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch)
tree: 6c6416d6d926939b208eb1f1181f196a554e0734 /sshd.8
parent: 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..b2fad56d3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.312 2020/01/25 06:03:10 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.313 2020/08/27 01:07:10 djm Exp $
-.Dd $Mdocdate: January 25 2020 $
+.Dd $Mdocdate: August 27 2020 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -631,6 +631,13 @@ This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
+.It Cm verify-required
+Require that signatures made using this key attest that they verified
+the user, e.g. via a PIN.
+This option only makes sense for the FIDO authenticator algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
 .It Cm restrict
 Enable all restrictions, i.e. disable port, agent and X11 forwarding,
 as well as disabling PTY allocation
author	djm@openbsd.org <djm@openbsd.org>	2020-08-27 01:07:09 +0000
committer	Damien Miller <djm@mindrot.org>	2020-08-27 11:28:36 +1000
commit	801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch)
tree	6c6416d6d926939b208eb1f1181f196a554e0734 /sshd.8
parent	9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff)

diff --git a/sshd.8 b/sshd.8 index c5f8987d2..b2fad56d3 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.312 2020/01/25 06:03:10 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.313 2020/08/27 01:07:10 djm Exp $
37	.Dd $Mdocdate: January 25 2020 $	37	.Dd $Mdocdate: August 27 2020 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -631,6 +631,13 @@ This option only makes sense for the FIDO authenticator algorithms
631	.Cm ecdsa-sk	631	.Cm ecdsa-sk
632	and	632	and
633	.Cm ed25519-sk .	633	.Cm ed25519-sk .
		634	.It Cm verify-required
		635	Require that signatures made using this key attest that they verified
		636	the user, e.g. via a PIN.
		637	This option only makes sense for the FIDO authenticator algorithms
		638	.Cm ecdsa-sk
		639	and
		640	.Cm ed25519-sk .
634	.It Cm restrict	641	.It Cm restrict
635	Enable all restrictions, i.e. disable port, agent and X11 forwarding,	642	Enable all restrictions, i.e. disable port, agent and X11 forwarding,
636	as well as disabling PTY allocation	643	as well as disabling PTY allocation