diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:07:09 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | 801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch) | |
| tree | 6c6416d6d926939b208eb1f1181f196a554e0734 /sshd_config.5 | |
| parent | 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (diff) | |
upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 17d8c130f..a1898baae 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.312 2020/05/29 05:37:03 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.313 2020/08/27 01:07:10 djm Exp $ |
| 37 | .Dd $Mdocdate: May 29 2020 $ | 37 | .Dd $Mdocdate: August 27 2020 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -1476,11 +1476,12 @@ The list of available key types may also be obtained using | |||
| 1476 | .Qq ssh -Q PubkeyAcceptedKeyTypes . | 1476 | .Qq ssh -Q PubkeyAcceptedKeyTypes . |
| 1477 | .It Cm PubkeyAuthOptions | 1477 | .It Cm PubkeyAuthOptions |
| 1478 | Sets one or more public key authentication options. | 1478 | Sets one or more public key authentication options. |
| 1479 | Two option keywords are currently supported: | 1479 | The supported keywords are: |
| 1480 | .Cm none | 1480 | .Cm none |
| 1481 | (the default; indicating no additional options are enabled) | 1481 | (the default; indicating no additional options are enabled), |
| 1482 | .Cm touch-required | ||
| 1482 | and | 1483 | and |
| 1483 | .Cm touch-required . | 1484 | .Cm verify-required . |
| 1484 | .Pp | 1485 | .Pp |
| 1485 | The | 1486 | The |
| 1486 | .Cm touch-required | 1487 | .Cm touch-required |
| @@ -1497,7 +1498,17 @@ requires user presence unless overridden with an authorized_keys option. | |||
| 1497 | The | 1498 | The |
| 1498 | .Cm touch-required | 1499 | .Cm touch-required |
| 1499 | flag disables this override. | 1500 | flag disables this override. |
| 1500 | This option has no effect for other, non-authenticator public key types. | 1501 | .Pp |
| 1502 | The | ||
| 1503 | .Cm verify-required | ||
| 1504 | option requires a FIDO key signature attest that verified the user, e.g. | ||
| 1505 | via a PIN. | ||
| 1506 | .Pp | ||
| 1507 | Neither the | ||
| 1508 | .Cm touch-required | ||
| 1509 | or | ||
| 1510 | .Cm verify-required | ||
| 1511 | options have any effect for other, non-FIDO public key types. | ||
| 1501 | .It Cm PubkeyAuthentication | 1512 | .It Cm PubkeyAuthentication |
| 1502 | Specifies whether public key authentication is allowed. | 1513 | Specifies whether public key authentication is allowed. |
| 1503 | The default is | 1514 | The default is |