upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de

1 files changed, 25 insertions, 2 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index 5052ca200..60077e394 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.292 2019/11/18 04:55:02 djm Exp $
-.Dd $Mdocdate: November 18 2019 $
+.\" $OpenBSD: sshd_config.5,v 1.293 2019/11/25 00:52:46 djm Exp $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1444,6 +1444,29 @@ ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q key .
+.It Cm PubkeyAuthOptions
+Sets one or more public key authentication options.
+Two option keywords are currently supported:
+.Cm none (the default; indicating no additional options are enabled)
+and
+.Cm touch-required .
+.Pp
+The
+.Cm touch-required
+option causes public key authentication using a security key algorithm
+(i.e.
+.Cm ecdsa-sk
+or
+.Cm ed25519-sk )
+to always require the signature to attest that a physically present user
+explicitly confirmed the authentication (usually by touching the security key).
+By default,
+.Xr sshd 8
+requires key touch unless overridden with an authorized_keys option.
+The
+.Cm touch-required
+flag disables this override.
+This option has no effect for other, non-security key public key types.
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is