summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--auth2-pubkey.c5
-rw-r--r--monitor.c7
-rw-r--r--ssh-add.c8
-rw-r--r--ssh-agent.c6
-rw-r--r--ssh-keygen.c10
-rw-r--r--ssh-sk.c26
-rw-r--r--ssh.c4
-rw-r--r--sshconnect2.c13
8 files changed, 40 insertions, 39 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5b4a2cc02..815ea0f25 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.98 2020/01/23 07:10:22 dtucker Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -231,7 +231,8 @@ userauth_pubkey(struct ssh *ssh)
231 SSH_SK_USER_PRESENCE_REQD) == 0) { 231 SSH_SK_USER_PRESENCE_REQD) == 0) {
232 error("public key %s signature for %s%s from " 232 error("public key %s signature for %s%s from "
233 "%.128s port %d rejected: user presence " 233 "%.128s port %d rejected: user presence "
234 "(key touch) requirement not met ", key_s, 234 "(authenticator touch) requirement "
235 "not met ", key_s,
235 authctxt->valid ? "" : "invalid user ", 236 authctxt->valid ? "" : "invalid user ",
236 authctxt->user, ssh_remote_ipaddr(ssh), 237 authctxt->user, ssh_remote_ipaddr(ssh),
237 ssh_remote_port(ssh)); 238 ssh_remote_port(ssh));
diff --git a/monitor.c b/monitor.c
index dc6d78d3c..2ce89fe90 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */ 1/* $OpenBSD: monitor.c,v 1.208 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1445,8 +1445,9 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
1445 if (req_presence && 1445 if (req_presence &&
1446 (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { 1446 (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) {
1447 error("public key %s %s signature for %s%s from %.128s " 1447 error("public key %s %s signature for %s%s from %.128s "
1448 "port %d rejected: user presence (key touch) " 1448 "port %d rejected: user presence "
1449 "requirement not met ", sshkey_type(key), fp, 1449 "(authenticator touch) requirement not met ",
1450 sshkey_type(key), fp,
1450 authctxt->valid ? "" : "invalid user ", 1451 authctxt->valid ? "" : "invalid user ",
1451 authctxt->user, ssh_remote_ipaddr(ssh), 1452 authctxt->user, ssh_remote_ipaddr(ssh),
1452 ssh_remote_port(ssh)); 1453 ssh_remote_port(ssh));
diff --git a/ssh-add.c b/ssh-add.c
index f3b666c93..8057eb1fe 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.151 2020/01/25 23:02:13 djm Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.152 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -315,8 +315,8 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag,
315 if (!sshkey_is_sk(private)) 315 if (!sshkey_is_sk(private))
316 skprovider = NULL; /* Don't send constraint for other keys */ 316 skprovider = NULL; /* Don't send constraint for other keys */
317 else if (skprovider == NULL) { 317 else if (skprovider == NULL) {
318 fprintf(stderr, "Cannot load security key %s without " 318 fprintf(stderr, "Cannot load authenticator-hosted key %s "
319 "provider\n", filename); 319 "without provider\n", filename);
320 goto out; 320 goto out;
321 } 321 }
322 322
@@ -546,7 +546,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag)
546 int r, ok = 0; 546 int r, ok = 0;
547 char *fp; 547 char *fp;
548 548
549 pass = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); 549 pass = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
550 if ((r = sshsk_load_resident(skprovider, NULL, pass, 550 if ((r = sshsk_load_resident(skprovider, NULL, pass,
551 &keys, &nkeys)) != 0) { 551 &keys, &nkeys)) != 0) {
552 error("Unable to load resident keys: %s", ssh_err(r)); 552 error("Unable to load resident keys: %s", ssh_err(r));
diff --git a/ssh-agent.c b/ssh-agent.c
index 5c9a9de60..7eb6f0dc5 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.254 2020/01/25 00:06:48 djm Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -510,8 +510,8 @@ process_add_identity(SocketEntry *e)
510 } 510 }
511 if (sk_provider != NULL) { 511 if (sk_provider != NULL) {
512 if (!sshkey_is_sk(k)) { 512 if (!sshkey_is_sk(k)) {
513 error("Cannot add provider: %s is not a security key", 513 error("Cannot add provider: %s is not an "
514 sshkey_type(k)); 514 "authenticator-hosted key", sshkey_type(k));
515 free(sk_provider); 515 free(sk_provider);
516 goto send; 516 goto send;
517 } 517 }
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a64622c1..a6ba6cc7a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.396 2020/02/04 09:58:04 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.397 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
2971 if (skprovider == NULL) 2971 if (skprovider == NULL)
2972 fatal("Cannot download keys without provider"); 2972 fatal("Cannot download keys without provider");
2973 2973
2974 pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); 2974 pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
2975 if ((r = sshsk_load_resident(skprovider, device, pin, 2975 if ((r = sshsk_load_resident(skprovider, device, pin,
2976 &keys, &nkeys)) != 0) { 2976 &keys, &nkeys)) != 0) {
2977 freezero(pin, strlen(pin)); 2977 freezero(pin, strlen(pin));
@@ -3582,7 +3582,7 @@ main(int argc, char **argv)
3582 } 3582 }
3583 } 3583 }
3584 if (!quiet) { 3584 if (!quiet) {
3585 printf("You may need to touch your security key " 3585 printf("You may need to touch your authenticator "
3586 "to authorize key generation.\n"); 3586 "to authorize key generation.\n");
3587 } 3587 }
3588 passphrase = NULL; 3588 passphrase = NULL;
@@ -3600,8 +3600,8 @@ main(int argc, char **argv)
3600 fatal("Key enrollment failed: %s", ssh_err(r)); 3600 fatal("Key enrollment failed: %s", ssh_err(r));
3601 if (passphrase != NULL) 3601 if (passphrase != NULL)
3602 freezero(passphrase, strlen(passphrase)); 3602 freezero(passphrase, strlen(passphrase));
3603 passphrase = read_passphrase("Enter PIN for security " 3603 passphrase = read_passphrase("Enter PIN for "
3604 "key: ", RP_ALLOW_STDIN); 3604 "authenticator: ", RP_ALLOW_STDIN);
3605 } 3605 }
3606 if (passphrase != NULL) 3606 if (passphrase != NULL)
3607 freezero(passphrase, strlen(passphrase)); 3607 freezero(passphrase, strlen(passphrase));
diff --git a/ssh-sk.c b/ssh-sk.c
index 3e88aafff..5ff938193 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */ 1/* $OpenBSD: ssh-sk.c,v 1.27 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Copyright (c) 2019 Google LLC 3 * Copyright (c) 2019 Google LLC
4 * 4 *
@@ -120,39 +120,38 @@ sshsk_open(const char *path)
120 return ret; 120 return ret;
121 } 121 }
122 if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { 122 if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
123 error("Security key provider \"%s\" dlopen failed: %s", 123 error("Provider \"%s\" dlopen failed: %s", path, dlerror());
124 path, dlerror());
125 goto fail; 124 goto fail;
126 } 125 }
127 if ((ret->sk_api_version = dlsym(ret->dlhandle, 126 if ((ret->sk_api_version = dlsym(ret->dlhandle,
128 "sk_api_version")) == NULL) { 127 "sk_api_version")) == NULL) {
129 error("Security key provider \"%s\" dlsym(sk_api_version) " 128 error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
130 "failed: %s", path, dlerror()); 129 path, dlerror());
131 goto fail; 130 goto fail;
132 } 131 }
133 version = ret->sk_api_version(); 132 version = ret->sk_api_version();
134 debug("%s: provider %s implements version 0x%08lx", __func__, 133 debug("%s: provider %s implements version 0x%08lx", __func__,
135 ret->path, (u_long)version); 134 ret->path, (u_long)version);
136 if ((version & SSH_SK_VERSION_MAJOR_MASK) != SSH_SK_VERSION_MAJOR) { 135 if ((version & SSH_SK_VERSION_MAJOR_MASK) != SSH_SK_VERSION_MAJOR) {
137 error("Security key provider \"%s\" implements unsupported " 136 error("Provider \"%s\" implements unsupported "
138 "version 0x%08lx (supported: 0x%08lx)", 137 "version 0x%08lx (supported: 0x%08lx)",
139 path, (u_long)version, (u_long)SSH_SK_VERSION_MAJOR); 138 path, (u_long)version, (u_long)SSH_SK_VERSION_MAJOR);
140 goto fail; 139 goto fail;
141 } 140 }
142 if ((ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) { 141 if ((ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
143 error("Security key provider %s dlsym(sk_enroll) " 142 error("Provider %s dlsym(sk_enroll) failed: %s",
144 "failed: %s", path, dlerror()); 143 path, dlerror());
145 goto fail; 144 goto fail;
146 } 145 }
147 if ((ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) { 146 if ((ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
148 error("Security key provider \"%s\" dlsym(sk_sign) failed: %s", 147 error("Provider \"%s\" dlsym(sk_sign) failed: %s",
149 path, dlerror()); 148 path, dlerror());
150 goto fail; 149 goto fail;
151 } 150 }
152 if ((ret->sk_load_resident_keys = dlsym(ret->dlhandle, 151 if ((ret->sk_load_resident_keys = dlsym(ret->dlhandle,
153 "sk_load_resident_keys")) == NULL) { 152 "sk_load_resident_keys")) == NULL) {
154 error("Security key provider \"%s\" " 153 error("Provider \"%s\" dlsym(sk_load_resident_keys) "
155 "dlsym(sk_load_resident_keys) failed: %s", path, dlerror()); 154 "failed: %s", path, dlerror());
156 goto fail; 155 goto fail;
157 } 156 }
158 /* success */ 157 /* success */
@@ -219,7 +218,7 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
219 goto out; 218 goto out;
220 } 219 }
221 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) { 220 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
222 error("Security key returned invalid ECDSA key"); 221 error("Authenticator returned invalid ECDSA key");
223 r = SSH_ERR_KEY_INVALID_EC_VALUE; 222 r = SSH_ERR_KEY_INVALID_EC_VALUE;
224 goto out; 223 goto out;
225 } 224 }
@@ -758,8 +757,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
758 goto out; 757 goto out;
759 } 758 }
760 if ((r = skp->sk_load_resident_keys(pin, opts, &rks, &nrks)) != 0) { 759 if ((r = skp->sk_load_resident_keys(pin, opts, &rks, &nrks)) != 0) {
761 error("Security key provider \"%s\" returned failure %d", 760 error("Provider \"%s\" returned failure %d", provider_path, r);
762 provider_path, r);
763 r = skerr_to_ssherr(r); 761 r = skerr_to_ssherr(r);
764 goto out; 762 goto out;
765 } 763 }
diff --git a/ssh.c b/ssh.c
index 35972fe39..326ce21f6 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.c,v 1.517 2020/01/28 07:24:15 djm Exp $ */ 1/* $OpenBSD: ssh.c,v 1.518 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1376,7 +1376,7 @@ main(int ac, char **av)
1376 if (options.sk_provider != NULL && *options.sk_provider == '$' && 1376 if (options.sk_provider != NULL && *options.sk_provider == '$' &&
1377 strlen(options.sk_provider) > 1) { 1377 strlen(options.sk_provider) > 1) {
1378 if ((cp = getenv(options.sk_provider + 1)) == NULL) { 1378 if ((cp = getenv(options.sk_provider + 1)) == NULL) {
1379 debug("Security key provider %s did not resolve; " 1379 debug("Authenticator provider %s did not resolve; "
1380 "disabling", options.sk_provider); 1380 "disabling", options.sk_provider);
1381 free(options.sk_provider); 1381 free(options.sk_provider);
1382 options.sk_provider = NULL; 1382 options.sk_provider = NULL;
diff --git a/sshconnect2.c b/sshconnect2.c
index 3b84a2d56..4c4a61ba0 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.318 2020/01/23 10:24:30 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.319 2020/02/06 22:30:54 naddy Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -613,7 +613,7 @@ format_identity(Identity *id)
613 if ((id->key->flags & SSHKEY_FLAG_EXT) != 0) 613 if ((id->key->flags & SSHKEY_FLAG_EXT) != 0)
614 note = " token"; 614 note = " token";
615 else if (sshkey_is_sk(id->key)) 615 else if (sshkey_is_sk(id->key))
616 note = " security-key"; 616 note = " authenticator";
617 } 617 }
618 xasprintf(&ret, "%s %s%s%s%s%s%s", 618 xasprintf(&ret, "%s %s%s%s%s%s%s",
619 id->filename, 619 id->filename,
@@ -1487,8 +1487,8 @@ load_identity_file(Identity *id)
1487 } 1487 }
1488 if (private != NULL && sshkey_is_sk(private) && 1488 if (private != NULL && sshkey_is_sk(private) &&
1489 options.sk_provider == NULL) { 1489 options.sk_provider == NULL) {
1490 debug("key \"%s\" is a security key, but no " 1490 debug("key \"%s\" is an authenticator-hosted key, "
1491 "provider specified", id->filename); 1491 "but no provider specified", id->filename);
1492 sshkey_free(private); 1492 sshkey_free(private);
1493 private = NULL; 1493 private = NULL;
1494 quit = 1; 1494 quit = 1;
@@ -1571,7 +1571,7 @@ pubkey_prepare(Authctxt *authctxt)
1571 continue; 1571 continue;
1572 } 1572 }
1573 if (key && sshkey_is_sk(key) && options.sk_provider == NULL) { 1573 if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
1574 debug("%s: ignoring security key %s as no " 1574 debug("%s: ignoring authenticator-hosted key %s as no "
1575 "SecurityKeyProvider has been specified", 1575 "SecurityKeyProvider has been specified",
1576 __func__, options.identity_files[i]); 1576 __func__, options.identity_files[i]);
1577 continue; 1577 continue;
@@ -1595,7 +1595,8 @@ pubkey_prepare(Authctxt *authctxt)
1595 continue; 1595 continue;
1596 } 1596 }
1597 if (key && sshkey_is_sk(key) && options.sk_provider == NULL) { 1597 if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
1598 debug("%s: ignoring security key certificate %s as no " 1598 debug("%s: ignoring authenticator-hosted key "
1599 "certificate %s as no "
1599 "SecurityKeyProvider has been specified", 1600 "SecurityKeyProvider has been specified",
1600 __func__, options.identity_files[i]); 1601 __func__, options.identity_files[i]);
1601 continue; 1602 continue;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 03:38:06 +0000