diff options
-rw-r--r-- | ssh-keygen.1 | 11 | ||||
-rw-r--r-- | ssh-keygen.c | 28 |
2 files changed, 25 insertions, 14 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 06aead348..837238e4e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.178 2019/11/25 00:55:58 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -679,6 +679,15 @@ internal support for USB HID keys. | |||
679 | .It Fl x Ar flags | 679 | .It Fl x Ar flags |
680 | Specifies the security key flags to use when enrolling a security key-hosted | 680 | Specifies the security key flags to use when enrolling a security key-hosted |
681 | key. | 681 | key. |
682 | Flags may be specified by name or directly as a hexadecimal value. | ||
683 | Only one named flag is supported at present: | ||
684 | .Cm no-touch-required , | ||
685 | which indicates that the generated private key should not require touch | ||
686 | events (user presence) when making signatures. | ||
687 | Note that | ||
688 | .Xr sshd 8 | ||
689 | will refuse such signatures by default, unless overridden via | ||
690 | an authorized_keys option. | ||
682 | .It Fl y | 691 | .It Fl y |
683 | This option will read a private | 692 | This option will read a private |
684 | OpenSSH format file and print an OpenSSH public key to stdout. | 693 | OpenSSH format file and print an OpenSSH public key to stdout. |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 16d196fc8..e939c5b57 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2810,6 +2810,7 @@ main(int argc, char **argv) | |||
2810 | unsigned long long ull, cert_serial = 0; | 2810 | unsigned long long ull, cert_serial = 0; |
2811 | char *identity_comment = NULL, *ca_key_path = NULL; | 2811 | char *identity_comment = NULL, *ca_key_path = NULL; |
2812 | u_int32_t bits = 0; | 2812 | u_int32_t bits = 0; |
2813 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; | ||
2813 | FILE *f; | 2814 | FILE *f; |
2814 | const char *errstr; | 2815 | const char *errstr; |
2815 | int log_level = SYSLOG_LEVEL_INFO; | 2816 | int log_level = SYSLOG_LEVEL_INFO; |
@@ -2822,9 +2823,6 @@ main(int argc, char **argv) | |||
2822 | unsigned long start_lineno = 0, lines_to_process = 0; | 2823 | unsigned long start_lineno = 0, lines_to_process = 0; |
2823 | BIGNUM *start = NULL; | 2824 | BIGNUM *start = NULL; |
2824 | #endif | 2825 | #endif |
2825 | #ifdef ENABLE_SK | ||
2826 | uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; | ||
2827 | #endif | ||
2828 | 2826 | ||
2829 | extern int optind; | 2827 | extern int optind; |
2830 | extern char *optarg; | 2828 | extern char *optarg; |
@@ -3015,15 +3013,19 @@ main(int argc, char **argv) | |||
3015 | case 'x': | 3013 | case 'x': |
3016 | if (*optarg == '\0') | 3014 | if (*optarg == '\0') |
3017 | fatal("Missing security key flags"); | 3015 | fatal("Missing security key flags"); |
3018 | ull = strtoull(optarg, &ep, 0); | 3016 | if (strcasecmp(optarg, "no-touch-required") == 0) |
3019 | if (*ep != '\0') | 3017 | sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
3020 | fatal("Security key flags \"%s\" is not a " | 3018 | else { |
3021 | "number", optarg); | 3019 | ull = strtoull(optarg, &ep, 0); |
3022 | if (ull > 0xff) | 3020 | if (*ep != '\0') |
3023 | fatal("Invalid security key flags 0x%llx", ull); | 3021 | fatal("Security key flags \"%s\" is " |
3024 | #ifdef ENABLE_SK | 3022 | "not a number", optarg); |
3025 | sk_flags = (uint8_t)ull; | 3023 | if (ull > 0xff) { |
3026 | #endif | 3024 | fatal("Invalid security key " |
3025 | "flags 0x%llx", ull); | ||
3026 | } | ||
3027 | sk_flags = (uint8_t)ull; | ||
3028 | } | ||
3027 | break; | 3029 | break; |
3028 | case 'z': | 3030 | case 'z': |
3029 | errno = 0; | 3031 | errno = 0; |