summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--ssh_config.56
-rw-r--r--sshconnect2.c29
3 files changed, 36 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 09a095f1a..199bca169 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
120121203 120121203
2 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get 2 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
3 TAILQ_FOREACH_SAFE needed for upcoming changes. 3 TAILQ_FOREACH_SAFE needed for upcoming changes.
4 - (djm) OpenBSD CVS Sync
5 - djm@cvs.openbsd.org 2012/12/02 20:26:11
6 [ssh_config.5 sshconnect2.c]
7 Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
8 This allows control of which keys are offered from tokens using
9 IdentityFile. ok markus@
4 10
520121114 1120121114
6 - (djm) OpenBSD CVS Sync 12 - (djm) OpenBSD CVS Sync
diff --git a/ssh_config.5 b/ssh_config.5
index d3e801df0..09a3cf035 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $
37.Dd $Mdocdate: October 4 2012 $ 37.Dd $Mdocdate: December 2 2012 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -602,6 +602,8 @@ should only use the authentication identity files configured in the
602files, 602files,
603even if 603even if
604.Xr ssh-agent 1 604.Xr ssh-agent 1
605or a
606.Cm PKCS11Provider
605offers more identities. 607offers more identities.
606The argument to this keyword must be 608The argument to this keyword must be
607.Dq yes 609.Dq yes
diff --git a/sshconnect2.c b/sshconnect2.c
index 7c369d743..6791ea344 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -1359,7 +1359,7 @@ load_identity_file(char *filename)
1359static void 1359static void
1360pubkey_prepare(Authctxt *authctxt) 1360pubkey_prepare(Authctxt *authctxt)
1361{ 1361{
1362 Identity *id; 1362 Identity *id, *id2, *tmp;
1363 Idlist agent, files, *preferred; 1363 Idlist agent, files, *preferred;
1364 Key *key; 1364 Key *key;
1365 AuthenticationConnection *ac; 1365 AuthenticationConnection *ac;
@@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt)
1371 preferred = &authctxt->keys; 1371 preferred = &authctxt->keys;
1372 TAILQ_INIT(preferred); /* preferred order of keys */ 1372 TAILQ_INIT(preferred); /* preferred order of keys */
1373 1373
1374 /* list of keys stored in the filesystem */ 1374 /* list of keys stored in the filesystem and PKCS#11 */
1375 for (i = 0; i < options.num_identity_files; i++) { 1375 for (i = 0; i < options.num_identity_files; i++) {
1376 key = options.identity_keys[i]; 1376 key = options.identity_keys[i];
1377 if (key && key->type == KEY_RSA1) 1377 if (key && key->type == KEY_RSA1)
@@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt)
1384 id->filename = xstrdup(options.identity_files[i]); 1384 id->filename = xstrdup(options.identity_files[i]);
1385 TAILQ_INSERT_TAIL(&files, id, next); 1385 TAILQ_INSERT_TAIL(&files, id, next);
1386 } 1386 }
1387 /* Prefer PKCS11 keys that are explicitly listed */
1388 TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1389 if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
1390 continue;
1391 found = 0;
1392 TAILQ_FOREACH(id2, &files, next) {
1393 if (id2->key == NULL ||
1394 (id2->key->flags & KEY_FLAG_EXT) != 0)
1395 continue;
1396 if (key_equal(id->key, id2->key)) {
1397 TAILQ_REMOVE(&files, id, next);
1398 TAILQ_INSERT_TAIL(preferred, id, next);
1399 found = 1;
1400 break;
1401 }
1402 }
1403 /* If IdentitiesOnly set and key not found then don't use it */
1404 if (!found && options.identities_only) {
1405 TAILQ_REMOVE(&files, id, next);
1406 bzero(id, sizeof(id));
1407 free(id);
1408 }
1409 }
1387 /* list of keys supported by the agent */ 1410 /* list of keys supported by the agent */
1388 if ((ac = ssh_get_authentication_connection())) { 1411 if ((ac = ssh_get_authentication_connection())) {
1389 for (key = ssh_get_first_identity(ac, &comment, 2); 1412 for (key = ssh_get_first_identity(ac, &comment, 2);