summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-12-30upstream: Remove the -x option currently used fordjm@openbsd.org
FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
2019-12-30upstream: document SK API changes in PROTOCOL.u2fdjm@openbsd.org
ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30upstream: translate and return error codes; retry on bad PINdjm@openbsd.org
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30upstream: improve some error messages; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-30upstream: implement loading resident keys in ssh-adddjm@openbsd.org
"ssh-add -O" will load resident keys from a FIDO2 token and add them to a ssh-agent. feedback and ok markus@ OpenBSD-Commit-ID: 608104ae957a7d65cb84e0a3a26c8f60e0df3290
2019-12-30upstream: implement loading of resident keys in ssh-sk-helperdjm@openbsd.org
feedback and ok markus@ OpenBSD-Commit-ID: b273c23769ea182c55c4a7b8f9cbd9181722011a
2019-12-30upstream: resident keys support in SK APIdjm@openbsd.org
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@ OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
2019-12-30upstream: Factor out parsing of struct sk_enroll_responsedjm@openbsd.org
We'll reuse this for extracting resident keys from a device. feedback and ok markus@ OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273
2019-12-30upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-12-30upstream: remove single-letter flags for moduli optionsdjm@openbsd.org
Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
2019-12-30upstream: prepare for use of ssh-keygen -O flag beyond certsdjm@openbsd.org
Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
2019-12-30upstream: sort -Y internally in the options list, as is alreadyjmc@openbsd.org
done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
2019-12-30upstream: in the options list, sort -Y and -y;jmc@openbsd.org
OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
2019-12-30upstream: Replace the term "security key" with "(FIDO)naddy@openbsd.org
authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-21upstream: unit tests for ForwardAgent=/path; from Eric Chiangdjm@openbsd.org
OpenBSD-Regress-ID: 24f693f78290b2c17725dab2c614dffe4a88c8da
2019-12-21upstream: test security key host keys in addition to user keysdjm@openbsd.org
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
2019-12-21upstream: Allow forwarding a different agent socket to the pathdjm@openbsd.org
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-21upstream: SSH U2F keys can now be used as host keys. Fix a gardennaddy@openbsd.org
path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
2019-12-20upstream: Move always unsupported keywords to be grouped with the otherdtucker@openbsd.org
ones. Move oSecurityProvider to match the order in the OpCodes enum. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 061e4505861ec1e02ba3a63e3d1b3be3cad458ec
2019-12-20upstream: Remove obsolete opcodes from the configuation enum.dtucker@openbsd.org
Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 395c202228872ce8d9044cc08552ac969f51e01b
2019-12-20upstream: Remove now-obsolete config options from example indtucker@openbsd.org
comment. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
2019-12-20upstream: Document that security key-hosted keys can act as hostnaddy@openbsd.org
keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@ OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-20upstream: "Forward security" -> "Forward secrecy" since that's thedtucker@openbsd.org
correct term. Add "MAC" since we use that acronym in other man pages. ok naddy@ OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
2019-12-20upstream: cut obsolete lists of crypto algorithms from outline ofnaddy@openbsd.org
how SSH works ok markus@ jmc@ OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
2019-12-20upstream: strdup may return NULL if memory allocation fails. Usetobhe@openbsd.org
the safer xstrdup which fatals on allocation failures. ok markus@ OpenBSD-Commit-ID: 8b608d387120630753cbcb8110e0b019c0c9a0d0
2019-12-20upstream: sort sk-* methods behind their plain key methods cousinsdjm@openbsd.org
for now OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
2019-12-18Mac OS X has PAM too.Darren Tucker
2019-12-18Show portable tarball pattern in example.Darren Tucker
2019-12-18OpenSSL is now optional.Darren Tucker
2019-12-16upstream: adapt to ssh-sk-client changedjm@openbsd.org
OpenBSD-Regress-ID: 40481999a5928d635ab2e5b029e8239c112005ea
2019-12-16upstream: it's no longer possible to disable privilege separationdjm@openbsd.org
in sshd, so don't double the tests' work by trying both off/on OpenBSD-Regress-ID: d366665466dbd09e9b707305da884be3e7619c68
2019-12-16upstream: don't treat HostKeyAgent=none as a path either; avoidsdjm@openbsd.org
spurious warnings from the cfgparse regress test OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
2019-12-16upstream: do not attempt to find an absolute path for sshd_configdjm@openbsd.org
SecurityKeyProvider=internal - unbreaks cfgparse regress test OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
2019-12-16upstream: allow ssh-keyscan to find security key hostkeysdjm@openbsd.org
OpenBSD-Commit-ID: 1fe822a7f714df19a7e7184e3a3bbfbf546811d3
2019-12-16upstream: allow security keys to act as host keys as well as userdjm@openbsd.org
keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-16Allow clock_nanosleep_time64 in seccomp sandbox.Darren Tucker
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
2019-12-15Put SK ECDSA bits inside ifdef OPENSSL_HAS_ECC.Darren Tucker
Fixes build when linking against OpenSSLs built with no-ec.
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-14ssh-sk-client.c needs includes.hDamien Miller
2019-12-14only link ssh-sk-helper against libfido2Damien Miller
2019-12-14adapt Makefile to ssh-sk-client everywhereDamien Miller
2019-12-14fixupDamien Miller
2019-12-14upstream: actually commit the ssh-sk-helper client code; ok markusdjm@openbsd.org
OpenBSD-Commit-ID: fd2ea776a5bbbf4d452989d3c3054cf25a5e0589
2019-12-14upstream: perform security key enrollment via ssh-sk-helper too.djm@openbsd.org
This means that ssh-keygen no longer needs to link against ssh-sk-helper, and only ssh-sk-helper needs libfido2 and /dev/uhid* access; feedback & ok markus@ OpenBSD-Commit-ID: 9464233fab95708d2ff059f8bee29c0d1f270800
2019-12-14upstream: allow sshbuf_put_stringb(buf, NULL); ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 91482c1ada9adb283165d48dafbb88ae91c657bd
2019-12-14upstream: use ssh-sk-helper for all security key signing operationsdjm@openbsd.org
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-12-14upstream: add a note about the 'extensions' field in the signeddjm@openbsd.org
object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11upstream: some more corrections for documentation problems spotteddjm@openbsd.org
by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11upstream: loading security keys into ssh-agent used the extensiondjm@openbsd.org
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d