diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:52:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
commit | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch) | |
tree | d7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /sshd_config.5 | |
parent | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff) |
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 5052ca200..60077e394 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.292 2019/11/18 04:55:02 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.293 2019/11/25 00:52:46 djm Exp $ |
37 | .Dd $Mdocdate: November 18 2019 $ | 37 | .Dd $Mdocdate: November 25 2019 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1444,6 +1444,29 @@ ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | |||
1444 | .Pp | 1444 | .Pp |
1445 | The list of available key types may also be obtained using | 1445 | The list of available key types may also be obtained using |
1446 | .Qq ssh -Q key . | 1446 | .Qq ssh -Q key . |
1447 | .It Cm PubkeyAuthOptions | ||
1448 | Sets one or more public key authentication options. | ||
1449 | Two option keywords are currently supported: | ||
1450 | .Cm none (the default; indicating no additional options are enabled) | ||
1451 | and | ||
1452 | .Cm touch-required . | ||
1453 | .Pp | ||
1454 | The | ||
1455 | .Cm touch-required | ||
1456 | option causes public key authentication using a security key algorithm | ||
1457 | (i.e. | ||
1458 | .Cm ecdsa-sk | ||
1459 | or | ||
1460 | .Cm ed25519-sk ) | ||
1461 | to always require the signature to attest that a physically present user | ||
1462 | explicitly confirmed the authentication (usually by touching the security key). | ||
1463 | By default, | ||
1464 | .Xr sshd 8 | ||
1465 | requires key touch unless overridden with an authorized_keys option. | ||
1466 | The | ||
1467 | .Cm touch-required | ||
1468 | flag disables this override. | ||
1469 | This option has no effect for other, non-security key public key types. | ||
1447 | .It Cm PubkeyAuthentication | 1470 | .It Cm PubkeyAuthentication |
1448 | Specifies whether public key authentication is allowed. | 1471 | Specifies whether public key authentication is allowed. |
1449 | The default is | 1472 | The default is |