From 70fc9a6ca4dd33cb2dd400a4dad5db9683a3d284 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Tue, 22 Oct 2019 08:50:35 +0000 Subject: upstream: fixes from lucas; OpenBSD-Commit-ID: 4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2 --- ssh-keygen.1 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 957d2f0f0..dca566ca2 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.171 2019/10/03 17:07:50 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 3 2019 $ +.Dd $Mdocdate: October 22 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -716,6 +716,7 @@ flag. The revocation file may be a KRL or a one-per-line list of public keys. Successful verification by an authorized signer is signalled by .Nm +returning a zero exit status. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm @@ -987,8 +988,8 @@ The principals field is a pattern-list (See PATTERNS in consisting of one or more comma-separated USER@DOMAIN identity patterns that are accepted for signing. When verifying, the identity presented via the -.Fl I option -must match a principals pattern in order for the corresponding key to be +.Fl I +option must match a principals pattern in order for the corresponding key to be considered acceptable for verification. .Pp The options (if present) consist of comma-separated option specifications. -- cgit v1.2.3 From aa4c640dc362816d63584a16e786d5e314e24390 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Thu, 7 Nov 2019 08:38:38 +0000 Subject: upstream: Fill in missing man page bits for U2F security key support: Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4 --- Makefile.in | 6 ++++-- ssh-add.1 | 9 +++++--- ssh-keygen.1 | 36 ++++++++++++++++++++++++------- ssh-keygen.c | 5 +++-- ssh-sk-helper.8 | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ssh.1 | 17 +++++++++++++-- ssh_config.5 | 31 ++++++++++++++++++++------- sshd.8 | 37 ++++++++++++++++++++------------ sshd_config.5 | 15 ++++++++----- 9 files changed, 179 insertions(+), 43 deletions(-) create mode 100644 ssh-sk-helper.8 (limited to 'ssh-keygen.1') diff --git a/Makefile.in b/Makefile.in index a569bb95a..fddc82576 100644 --- a/Makefile.in +++ b/Makefile.in @@ -124,8 +124,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o uidswap.o -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -372,6 +372,7 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 install-sysconf: $(MKDIR_P) $(DESTDIR)$(sysconfdir) @@ -444,6 +445,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper diff --git a/ssh-add.1 b/ssh-add.1 index 9b90257b4..73b91d945 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.71 2019/11/01 00:52:35 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.72 2019/11/07 08:38:38 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 1 2019 $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -63,6 +63,7 @@ When run without arguments, it adds the files .Pa ~/.ssh/id_rsa , .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , and .Pa ~/.ssh/id_ed25519 . After loading a private key, @@ -135,7 +136,7 @@ Be quiet after a successful operation. .It Fl S Ar provider Specifies a path to a security key provider library that will be used when adding any security key-hosted keys, overriding the default of using the -.Ev "SSH_SK_PROVIDER" +.Ev SSH_SK_PROVIDER environment variable to specify a provider. .It Fl s Ar pkcs11 Add keys provided by the PKCS#11 shared library @@ -205,6 +206,8 @@ hardware security keys. Contains the DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa Contains the ECDSA authentication identity of the user. +.It Pa ~/.ssh/id_ecdsa_sk +Contains the security key-hosted ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ed25519 Contains the Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dca566ca2..bdb5015d1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 22 2019 $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -48,8 +48,10 @@ .Op Fl C Ar comment .Op Fl f Ar output_keyfile .Op Fl m Ar format +.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa .Op Fl N Ar new_passphrase -.Op Fl t Cm dsa | ecdsa | ed25519 | rsa +.Op Fl w Ar provider +.Op Fl x Ar flags .Nm ssh-keygen .Fl p .Op Fl f Ar keyfile @@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication key in .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , .Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . @@ -248,7 +251,7 @@ should be placed to be activated. The options are as follows: .Bl -tag -width Ds .It Fl A -For each of the key types (rsa, dsa, ecdsa and ed25519) +For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. @@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. -Ed25519 keys have a fixed length and the +ECDSA-SK and Ed25519 keys have a fixed length and the .Fl b flag will be ignored. .It Fl C Ar comment @@ -583,11 +586,12 @@ section for details. Test DH group exchange candidate primes (generated using the .Fl G option) for safety. -.It Fl t Cm dsa | ecdsa | ed25519 | rsa +.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa Specifies the type of key to create. The possible values are .Dq dsa , .Dq ecdsa , +.Dq ecdsa-sk , .Dq ed25519 , or .Dq rsa . @@ -658,6 +662,14 @@ options increase the verbosity. The maximum is 3. .It Fl W Ar generator Specify desired generator when testing candidate moduli for DH-GEX. +.It Fl w Ar provider +Specifies a path to a security key provider library that will be used when +creating any security key-hosted keys, overriding the default of using the +.Ev SSH_SK_PROVIDER +environment variable to specify a provider. +.It Fl x Ar flags +Specifies the security key flags to use when enrolling a security key-hosted +key. .It Fl y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. @@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1... # A key that is accepted only for file signing. user2@example.com namespaces="file" ssh-ed25519 AAA41... .Ed +.Sh ENVIRONMENT +.Bl -tag -width Ds +.It Ev SSH_SK_PROVIDER +Specifies the path to a security key provider library used to interact with +hardware security keys. +.El .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, Ed25519 or RSA +Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -1040,9 +1059,10 @@ will read this file when a login attempt is made. .Pp .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub -Contains the DSA, ECDSA, Ed25519 or RSA +Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys diff --git a/ssh-keygen.c b/ssh-keygen.c index 1d2a93f66..b51173aa3 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.359 2019/10/31 21:28:27 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.360 2019/11/07 08:38:38 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2725,7 +2725,8 @@ usage(void) { fprintf(stderr, "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" - " [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]\n" + " [-t dsa | ecdsa | ecdsa-sk | ed25519 | rsa]\n" + " [-N new_passphrase] [-w provider] [-x flags]\n" " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" " [-P old_passphrase]\n" " ssh-keygen -i [-f input_keyfile] [-m key_format]\n" diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8 new file mode 100644 index 000000000..9248badc9 --- /dev/null +++ b/ssh-sk-helper.8 @@ -0,0 +1,66 @@ +.\" $OpenBSD: ssh-sk-helper.8,v 1.1 2019/11/07 08:38:38 naddy Exp $ +.\" +.\" Copyright (c) 2010 Markus Friedl. All rights reserved. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: November 7 2019 $ +.Dt SSH-SK-HELPER 8 +.Os +.Sh NAME +.Nm ssh-sk-helper +.Nd ssh-agent helper program for security key support +.Sh SYNOPSIS +.Nm +.Op Fl v +.Sh DESCRIPTION +.Nm +is used by +.Xr ssh-agent 1 +to access keys provided by a security key. +.Pp +.Nm +is not intended to be invoked by the user, but from +.Xr ssh-agent 1 . +.Pp +A single option is supported: +.Bl -tag -width Ds +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. +This is helpful in debugging problems. +Multiple +.Fl v +options increase the verbosity. +The maximum is 3. +.Pp +Note that +.Xr ssh-agent 1 +will automatically pass the +.Fl v +flag to +.Nm +when it has itself been placed in debug mode. +.El +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-agent 1 +.Sh HISTORY +.Nm +first appeared in +.Ox 6.7 . +.Sh AUTHORS +.An Damien Miller Aq Mt djm@openbsd.org diff --git a/ssh.1 b/ssh.1 index 424d6c3e8..e2666fa56 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.403 2019/06/12 11:31:50 jmc Exp $ -.Dd $Mdocdate: June 12 2019 $ +.\" $OpenBSD: ssh.1,v 1.404 2019/11/07 08:38:38 naddy Exp $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -279,6 +279,7 @@ public key authentication is read. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , .Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa . @@ -896,6 +897,8 @@ This stores the private key in (DSA), .Pa ~/.ssh/id_ecdsa (ECDSA), +.Pa ~/.ssh/id_ecdsa_sk +(security key-hosted ECDSA), .Pa ~/.ssh/id_ed25519 (Ed25519), or @@ -906,6 +909,8 @@ and stores the public key in (DSA), .Pa ~/.ssh/id_ecdsa.pub (ECDSA), +.Pa ~/.ssh/id_ecdsa_sk.pub +(security key-hosted ECDSA), .Pa ~/.ssh/id_ed25519.pub (Ed25519), or @@ -1324,6 +1329,12 @@ More permanent VPNs are better provided by tools such as and .Xr isakmpd 8 . .Sh ENVIRONMENT +.Bl -tag -width "SSH_ORIGINAL_COMMAND" +.It Ev SSH_SK_PROVIDER +Specifies the path to a security key provider library used to interact with +hardware security keys. +.Pp +.El .Nm will normally set the following environment variables: .Bl -tag -width "SSH_ORIGINAL_COMMAND" @@ -1484,6 +1495,7 @@ above. .Pp .It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_ecdsa +.It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_rsa Contains the private key for authentication. @@ -1498,6 +1510,7 @@ sensitive part of this file using AES-128. .Pp .It Pa ~/.ssh/id_dsa.pub .It Pa ~/.ssh/id_ecdsa.pub +.It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_rsa.pub Contains the public key for authentication. diff --git a/ssh_config.5 b/ssh_config.5 index 02a87892d..ad016470c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $ -.Dd $Mdocdate: September 13 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -381,7 +381,9 @@ flag to via .Xr ssh-agent 1 , or via a -.Cm PKCS11Provider . +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider . .Pp Arguments to .Cm CertificateFile @@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -883,6 +887,8 @@ even if .Xr ssh-agent 1 or a .Cm PKCS11Provider +or +.Cm SecurityKeyProvider offers more identities. The argument to this keyword must be .Cm yes @@ -919,11 +925,12 @@ or the tokens described in the .Sx TOKENS section. .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication -identity is read. +Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA, +Ed25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , .Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa . @@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed @@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . +.It Cm SecurityKeyProvider +Specifies a path to a security key provider library that will be used when +loading any security key-hosted keys, overriding the default of using the +.Ev SSH_SK_PROVIDER +environment variable to specify a provider. .It Cm SendEnv Specifies what variables from the local .Xr environ 7 diff --git a/sshd.8 b/sshd.8 index fb133c14b..14d5a2dac 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.304 2018/07/22 12:16:59 dtucker Exp $ -.Dd $Mdocdate: July 22 2018 $ +.\" $OpenBSD: sshd.8,v 1.305 2019/11/07 08:38:38 naddy Exp $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSHD 8 .Os .Sh NAME @@ -429,24 +429,35 @@ comments). Public keys consist of the following space-separated fields: options, keytype, base64-encoded key, comment. The options field is optional. -The keytype is -.Dq ecdsa-sha2-nistp256 , -.Dq ecdsa-sha2-nistp384 , -.Dq ecdsa-sha2-nistp521 , -.Dq ssh-ed25519 , -.Dq ssh-dss -or -.Dq ssh-rsa ; -the comment field is not used for anything (but may be convenient for the +The supported key types are: +.Pp +.Bl -item -compact -offset indent +.It +sk-ecdsa-sha2-nistp256@openssh.com +.It +ecdsa-sha2-nistp256 +.It +ecdsa-sha2-nistp384 +.It +ecdsa-sha2-nistp521 +.It +ssh-ed25519 +.It +ssh-dss +.It +ssh-rsa +.El +.Pp +The comment field is not used for anything (but may be convenient for the user to identify the key). .Pp Note that lines in this file can be several hundred bytes long (because of the size of the public key encoding) up to a limit of -8 kilobytes, which permits DSA keys up to 8 kilobits and RSA -keys up to 16 kilobits. +8 kilobytes, which permits RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the .Pa id_dsa.pub , .Pa id_ecdsa.pub , +.Pa id_ecdsa_sk.pub , .Pa id_ed25519.pub , or the .Pa id_rsa.pub diff --git a/sshd_config.5 b/sshd_config.5 index 9486f2a1c..f4caa162d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ -.Dd $Mdocdate: September 6 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.291 2019/11/07 08:38:38 naddy Exp $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -690,7 +690,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -768,7 +769,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -1425,12 +1427,15 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed -- cgit v1.2.3 From 6bff9521ab9a9f7396d635755c342b72373bb4f9 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 14 Nov 2019 21:27:29 +0000 Subject: upstream: directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069 --- .depend | 88 ++++---- Makefile.in | 5 +- configure.ac | 33 +++ readconf.c | 7 +- sk-usbhid.c | 697 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ssh-add.1 | 7 +- ssh-add.c | 7 +- ssh-agent.c | 9 +- ssh-keygen.1 | 9 +- ssh-keygen.c | 7 +- ssh-sk.c | 21 +- ssh.1 | 10 +- ssh_config.5 | 9 +- 13 files changed, 837 insertions(+), 72 deletions(-) create mode 100644 sk-usbhid.c (limited to 'ssh-keygen.1') diff --git a/.depend b/.depend index d02e5bd49..f74c38630 100644 --- a/.depend +++ b/.depend @@ -3,10 +3,19 @@ addrmatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h match.h log.h atomicio.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h audit-bsm.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h audit-linux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h -auth2.o: ssherr.h monitor_wrap.h digest.h +audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h sshkey.h misc.h servconf.h uidswap.h hostfile.h auth.h auth-pam.h audit.h loginrec.h +auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h sshbuf.h misc.h sshkey.h match.h ssh2.h auth-options.h +auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h +auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h +auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth-skey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h groupaccess.h log.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h +auth.o: openbsd-compat/sys-queue.h dispatch.h authfile.h monitor_wrap.h ssherr.h compat.h channels.h auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h misc.h servconf.h auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h @@ -17,28 +26,19 @@ auth2-none.o: monitor_wrap.h auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h log.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h auth2-pubkey.o: uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h ssherr.h channels.h session.h -auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h groupaccess.h log.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h canohost.h uidswap.h packet.h -auth.o: openbsd-compat/sys-queue.h dispatch.h authfile.h monitor_wrap.h ssherr.h compat.h channels.h +auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h +auth2.o: ssherr.h monitor_wrap.h digest.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h atomicio.h misc.h ssherr.h authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h ssherr.h krl.h -auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h sshbuf.h sshkey.h misc.h servconf.h uidswap.h hostfile.h auth.h auth-pam.h audit.h loginrec.h -auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h sshbuf.h misc.h sshkey.h match.h ssh2.h auth-options.h -auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h -auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h -auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -auth-skey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h canohost.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h canohost.h misc.h chacha.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h chacha.h channels.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h ssherr.h sshbuf.h packet.h dispatch.h log.h misc.h channels.h compat.h canohost.h sshkey.h authfd.h pathnames.h match.h cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-aesctr.h rijndael.h -cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sshbuf.h ssherr.h cipher-chachapoly.h chacha.h poly1305.h cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h clientloop.o: kex.h mac.h crypto_api.h myproposal.h log.h misc.h readconf.h clientloop.h sshconnect.h authfd.h atomicio.h sshpty.h match.h msg.h ssherr.h hostfile.h @@ -55,8 +55,8 @@ fe25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compa ge25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h fe25519.h crypto_api.h sc25519.h ge25519.h ge25519_base.data groupaccess.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h groupaccess.h match.h log.h gss-genr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h gss-serv-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h hash.o: crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest.h log.h ssherr.h hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h misc.h ssherr.h digest.h hmac.h @@ -90,10 +90,10 @@ mux.o: ssherr.h nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h ssh2.h sshbuf.h ssherr.h packet.h dispatch.h channels.h compat.h log.h packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h digest.h log.h canohost.h packet.o: misc.h channels.h ssh.h packet.h dispatch.h ssherr.h sshbuf.h -platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h platform-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h platform-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h +platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h poly1305.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h poly1305.h progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h progressmeter.h atomicio.h misc.h utf8.h readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h @@ -116,62 +116,64 @@ serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co serverloop.o: poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h ssherr.h session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h sshbuf.h ssherr.h match.h uidswap.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h session.o: poly1305.h cipher-aesctr.h rijndael.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h crypto_api.h monitor_wrap.h sftp.h atomicio.h -sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h sshbuf.h log.h atomicio.h progressmeter.h misc.h utf8.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssherr.h sshbuf.h log.h misc.h sftp.h sftp-common.h sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-realpath.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sftp.h misc.h xmalloc.h +sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h +sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h pathnames.h misc.h utf8.h sftp.h ssherr.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h +sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sntrup4591761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h ssherr.h digest.h ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h compat.h log.h misc.h digest.h ssherr.h match.h msg.h pathnames.h ssh-pkcs11.h ssh-sk.h +ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-ed25519-sk.o: crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sshbuf.h sshkey.h ssherr.h ssh.h digest.h +ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h sshbuf.h sshkey.h ssherr.h ssh.h +ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssherr.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h +ssh-keygen.o: sk-api.h +ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h +ssh-keyscan.o: packet.h dispatch.h log.h atomicio.h misc.h hostfile.h ssherr.h ssh_api.h ssh2.h dns.h +ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssherr.h +ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h sshbuf.h log.h misc.h sshkey.h authfd.h ssh-pkcs11.h ssherr.h +ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sshkey.h +ssh-rsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-sk-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h sshkey.h authfd.h misc.h sshbuf.h msg.h uidswap.h ssherr.h ssh-sk.h +ssh-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h +ssh.o: packet.h dispatch.h sshbuf.h channels.h sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h misc.h readconf.h sshconnect.h kex.h mac.h crypto_api.h sshpty.h match.h msg.h version.h ssherr.h myproposal.h utf8.h ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h ssh.h ssh2.h packet.h dispatch.h compat.h ssh_api.o: log.h authfile.h misc.h version.h myproposal.h ssherr.h sshbuf.h openbsd-compat/openssl-compat.h -sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h misc.h sshbuf-getput-basic.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h -ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h -ssh.o: packet.h dispatch.h sshbuf.h channels.h sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h misc.h readconf.h sshconnect.h kex.h mac.h crypto_api.h sshpty.h match.h msg.h version.h ssherr.h myproposal.h utf8.h -sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h -sshconnect2.o: crypto_api.h myproposal.h sshconnect.h authfile.h dh.h authfd.h log.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h ssherr.h utf8.h ssh-sk.h +sshbuf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h misc.h sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h sshkey.h sshconnect.h log.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h sshconnect.o: version.h authfile.h ssherr.h authfd.h kex.h mac.h crypto_api.h +sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h +sshconnect2.o: crypto_api.h myproposal.h sshconnect.h authfile.h dh.h authfd.h log.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h ssherr.h utf8.h ssh-sk.h sk-api.h sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h sshd.o: cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h myproposal.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h ssherr.h -ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h sshbuf.h sshkey.h ssherr.h ssh.h ssherr.o: ssherr.h -sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h match.h ssh-sk.h openbsd-compat/openssl-compat.h -ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssherr.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h -ssh-keygen.o: sk-api.h -ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h -ssh-keyscan.o: packet.h dispatch.h log.h atomicio.h misc.h hostfile.h ssherr.h ssh_api.h ssh2.h dns.h -ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h ssherr.h sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h match.h ssh-sk.h openbsd-compat/openssl-compat.h sshlogin.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshlogin.h ssherr.h loginrec.h log.h sshbuf.h misc.h servconf.h -ssh-pkcs11.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h sshkey.h -ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h sshbuf.h log.h misc.h sshkey.h authfd.h ssh-pkcs11.h ssherr.h sshpty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshpty.h log.h misc.h -ssh-rsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshsig.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfd.h authfile.h log.h misc.h sshbuf.h sshsig.h ssherr.h sshkey.h match.h digest.h -ssh-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -ssh-sk-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h sshkey.h authfd.h misc.h sshbuf.h msg.h uidswap.h ssherr.h ssh-sk.h sshtty.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshpty.h -ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ttymodes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h compat.h sshbuf.h ssherr.h ttymodes.h uidswap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h uidswap.h xmalloc.h -umac128.o: umac.c includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h umac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h +umac128.o: umac.c includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h utf8.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h utf8.h verify.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h xmalloc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h xmss_commons.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmss_fast.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -xmss_hash_address.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmss_hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h +xmss_hash_address.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmss_wots.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/rmd160.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h diff --git a/Makefile.in b/Makefile.in index 3acfab5c5..ae0b0cb02 100644 --- a/Makefile.in +++ b/Makefile.in @@ -50,6 +50,7 @@ GSSLIBS=@GSSLIBS@ SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ +LIBFIDO2=@LIBFIDO2@ AR=@AR@ AWK=@AWK@ RANLIB=@RANLIB@ @@ -98,8 +99,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ssh-pkcs11.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o ssh-sk.o digest-openssl.o digest-libc.o hmac.o \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ + ssh-ed25519.o ssh-sk.o sk-usbhid.c digest-openssl.o digest-libc.o \ + hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ diff --git a/configure.ac b/configure.ac index 70019e03b..6e32374cc 100644 --- a/configure.ac +++ b/configure.ac @@ -3061,6 +3061,39 @@ if test "x$enable_sk" = "xyes" ; then fi AC_MSG_RESULT([$enable_sk]) +# Now check for built-in security key support. +if test "x$enable_sk" = "xyes" ; then + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) + use_pkgconfig_for_libfido2= + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING([if $PKGCONFIG knows about libfido2]) + if "$PKGCONFIG" libfido2; then + AC_MSG_RESULT([yes]) + use_pkgconfig_for_libfido2=yes + else + AC_MSG_RESULT([no]) + fi + fi + if test "x$use_pkgconfig_for_libfido2" = "xyes"; then + LIBFIDO2=`$PKGCONFIG --libs libfido2` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" + else + LIBFIDO2="-lfido2 -lcbor" + fi + OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'` + AC_CHECK_LIB([fido2], [fido_init], + [ + LIBS="$LIBS $LIBFIDO2" # XXX avoid linking to all. + AC_SUBST([LIBFIDO2]) + AC_DEFINE([ENABLE_SK_INTERNAL], [], + [Enable for built-in U2F/FIDO support]) + enable_sk="built-in" + ], + [ AC_MSG_ERROR([libfido2 not found]) ], + [ $OTHERLIBS ] + ) +fi + AC_CHECK_FUNCS([ \ arc4random \ arc4random_buf \ diff --git a/readconf.c b/readconf.c index 66fb0d2bb..c046e4dbf 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.313 2019/11/13 05:42:26 deraadt Exp $ */ +/* $OpenBSD: readconf.c,v 1.314 2019/11/14 21:27:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2129,8 +2129,13 @@ fill_default_options(Options * options) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->update_hostkeys == -1) options->update_hostkeys = 0; +#ifdef ENABLE_SK_INTERNAL + if (options->sk_provider == NULL) + options->sk_provider = xstrdup("internal"); +#else if (options->sk_provider == NULL) options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); +#endif /* Expand KEX name lists */ all_cipher = cipher_alg_list(',', 0); diff --git a/sk-usbhid.c b/sk-usbhid.c new file mode 100644 index 000000000..c0a6bd0da --- /dev/null +++ b/sk-usbhid.c @@ -0,0 +1,697 @@ +/* + * Copyright (c) 2019 Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef ENABLE_SK_INTERNAL + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include + +#ifndef SK_STANDALONE +#include "log.h" +#include "xmalloc.h" +#endif + +/* #define SK_DEBUG 1 */ + +#define MAX_FIDO_DEVICES 256 + +/* Compatibility with OpenSSH 1.0.x */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#define ECDSA_SIG_get0(sig, pr, ps) \ + do { \ + (*pr) = sig->r; \ + (*ps) = sig->s; \ + } while (0) +#endif + +#define SK_VERSION_MAJOR 0x00020000 /* current API version */ + +/* Flags */ +#define SK_USER_PRESENCE_REQD 0x01 + +/* Algs */ +#define SK_ECDSA 0x00 +#define SK_ED25519 0x01 + +struct sk_enroll_response { + uint8_t *public_key; + size_t public_key_len; + uint8_t *key_handle; + size_t key_handle_len; + uint8_t *signature; + size_t signature_len; + uint8_t *attestation_cert; + size_t attestation_cert_len; +}; + +struct sk_sign_response { + uint8_t flags; + uint32_t counter; + uint8_t *sig_r; + size_t sig_r_len; + uint8_t *sig_s; + size_t sig_s_len; +}; + +/* If building as part of OpenSSH, then rename exported functions */ +#if !defined(SK_STANDALONE) +#define sk_api_version ssh_sk_api_version +#define sk_enroll ssh_sk_enroll +#define sk_sign ssh_sk_sign +#endif + +/* Return the version of the middleware API */ +uint32_t sk_api_version(void); + +/* Enroll a U2F key (private key generation) */ +int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, + const char *application, uint8_t flags, + struct sk_enroll_response **enroll_response); + +/* Sign a challenge */ +int sk_sign(int alg, const uint8_t *message, size_t message_len, + const char *application, const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, struct sk_sign_response **sign_response); + +static void skdebug(const char *func, const char *fmt, ...) + __attribute__((__format__ (printf, 2, 3))); + +static void +skdebug(const char *func, const char *fmt, ...) +{ +#if !defined(SK_STANDALONE) + char *msg; + va_list ap; + + va_start(ap, fmt); + xvasprintf(&msg, fmt, ap); + va_end(ap); + debug("%s: %s", __func__, msg); + free(msg); +#elif defined(SK_DEBUG) + va_list ap; + + va_start(ap, fmt); + fprintf(stderr, "%s: ", func); + vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + va_end(ap); +#else + (void)func; /* XXX */ + (void)fmt; /* XXX */ +#endif +} + +uint32_t +sk_api_version(void) +{ + return SK_VERSION_MAJOR; +} + +/* Select the first identified FIDO device attached to the system */ +static char * +pick_first_device(void) +{ + char *ret = NULL; + fido_dev_info_t *devlist = NULL; + size_t olen = 0; + int r; + const fido_dev_info_t *di; + + if ((devlist = fido_dev_info_new(1)) == NULL) { + skdebug(__func__, "fido_dev_info_new failed"); + goto out; + } + if ((r = fido_dev_info_manifest(devlist, 1, &olen)) != FIDO_OK) { + skdebug(__func__, "fido_dev_info_manifest failed: %s", + fido_strerr(r)); + goto out; + } + if (olen != 1) { + skdebug(__func__, "fido_dev_info_manifest bad len %zu", olen); + goto out; + } + di = fido_dev_info_ptr(devlist, 0); + if ((ret = strdup(fido_dev_info_path(di))) == NULL) { + skdebug(__func__, "fido_dev_info_path failed"); + goto out; + } + out: + fido_dev_info_free(&devlist, 1); + return ret; +} + +/* Check if the specified key handle exists on a given device. */ +static int +try_device(fido_dev_t *dev, const uint8_t *message, size_t message_len, + const char *application, const uint8_t *key_handle, size_t key_handle_len) +{ + fido_assert_t *assert = NULL; + int r = FIDO_ERR_INTERNAL; + + if ((assert = fido_assert_new()) == NULL) { + skdebug(__func__, "fido_assert_new failed"); + goto out; + } + if ((r = fido_assert_set_clientdata_hash(assert, message, + message_len)) != FIDO_OK) { + skdebug(__func__, "fido_assert_set_clientdata_hash: %s", + fido_strerr(r)); + goto out; + } + if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { + skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_assert_allow_cred(assert, key_handle, + key_handle_len)) != FIDO_OK) { + skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_assert_set_up(assert, FIDO_OPT_FALSE)) != FIDO_OK) { + skdebug(__func__, "fido_assert_up: %s", fido_strerr(r)); + goto out; + } + r = fido_dev_get_assert(dev, assert, NULL); + skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); + out: + fido_assert_free(&assert); + + return r != FIDO_OK ? -1 : 0; +} + +/* Iterate over configured devices looking for a specific key handle */ +static fido_dev_t * +find_device(const uint8_t *message, size_t message_len, const char *application, + const uint8_t *key_handle, size_t key_handle_len) +{ + fido_dev_info_t *devlist = NULL; + fido_dev_t *dev = NULL; + size_t devlist_len = 0; + const char *path; + int r; + + if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { + skdebug(__func__, "fido_dev_info_new failed"); + goto out; + } + if ((r = fido_dev_info_manifest(devlist, MAX_FIDO_DEVICES, + &devlist_len)) != FIDO_OK) { + skdebug(__func__, "fido_dev_info_manifest: %s", fido_strerr(r)); + goto out; + } + + skdebug(__func__, "found %zu device(s)", devlist_len); + + for (size_t i = 0; i < devlist_len; i++) { + const fido_dev_info_t *di = fido_dev_info_ptr(devlist, i); + + if (di == NULL) { + skdebug(__func__, "fido_dev_info_ptr %zu failed", i); + continue; + } + if ((path = fido_dev_info_path(di)) == NULL) { + skdebug(__func__, "fido_dev_info_path %zu failed", i); + continue; + } + skdebug(__func__, "trying device %zu: %s", i, path); + if ((dev = fido_dev_new()) == NULL) { + skdebug(__func__, "fido_dev_new failed"); + continue; + } + if ((r = fido_dev_open(dev, path)) != FIDO_OK) { + skdebug(__func__, "fido_dev_open failed"); + fido_dev_free(&dev); + continue; + } + if (try_device(dev, message, message_len, application, + key_handle, key_handle_len) == 0) { + skdebug(__func__, "found key"); + break; + } + fido_dev_close(dev); + fido_dev_free(&dev); + } + + out: + if (devlist != NULL) + fido_dev_info_free(&devlist, MAX_FIDO_DEVICES); + + return dev; +} + +/* + * The key returned via fido_cred_pubkey_ptr() is in affine coordinates, + * but the API expects a SEC1 octet string. + */ +static int +pack_public_key_ecdsa(fido_cred_t *cred, struct sk_enroll_response *response) +{ + const uint8_t *ptr; + BIGNUM *x = NULL, *y = NULL; + EC_POINT *q = NULL; + EC_GROUP *g = NULL; + BN_CTX *bn_ctx = NULL; + int ret = -1; + + response->public_key = NULL; + response->public_key_len = 0; + + if ((bn_ctx = BN_CTX_new()) == NULL || + (x = BN_CTX_get(bn_ctx)) == NULL || + (y = BN_CTX_get(bn_ctx)) == NULL || + (g = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL || + (q = EC_POINT_new(g)) == NULL) { + skdebug(__func__, "libcrypto setup failed"); + goto out; + } + if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { + skdebug(__func__, "fido_cred_pubkey_ptr failed"); + goto out; + } + if (fido_cred_pubkey_len(cred) != 64) { + skdebug(__func__, "bad fido_cred_pubkey_len %zu", + fido_cred_pubkey_len(cred)); + goto out; + } + + if (BN_bin2bn(ptr, 32, x) == NULL || + BN_bin2bn(ptr + 32, 32, y) == NULL) { + skdebug(__func__, "BN_bin2bn failed"); + goto out; + } + if (EC_POINT_set_affine_coordinates_GFp(g, q, x, y, bn_ctx) != 1) { + skdebug(__func__, "EC_POINT_set_affine_coordinates_GFp failed"); + goto out; + } + response->public_key_len = EC_POINT_point2oct(g, q, + POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bn_ctx); + if (response->public_key_len == 0 || response->public_key_len > 2048) { + skdebug(__func__, "bad pubkey length %zu", + response->public_key_len); + goto out; + } + if ((response->public_key = malloc(response->public_key_len)) == NULL) { + skdebug(__func__, "malloc pubkey failed"); + goto out; + } + if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED, + response->public_key, response->public_key_len, bn_ctx) == 0) { + skdebug(__func__, "EC_POINT_point2oct failed"); + goto out; + } + /* success */ + ret = 0; + out: + if (ret != 0 && response->public_key != NULL) { + memset(response->public_key, 0, response->public_key_len); + free(response->public_key); + response->public_key = NULL; + } + EC_POINT_free(q); + EC_GROUP_free(g); + BN_CTX_free(bn_ctx); + return ret; +} + +static int +pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response) +{ + const uint8_t *ptr; + size_t len; + int ret = -1; + + response->public_key = NULL; + response->public_key_len = 0; + + if ((len = fido_cred_pubkey_len(cred)) != 32) { + skdebug(__func__, "bad fido_cred_pubkey_len len %zu", len); + goto out; + } + if ((ptr = fido_cred_pubkey_ptr(cred)) == NULL) { + skdebug(__func__, "fido_cred_pubkey_ptr failed"); + goto out; + } + response->public_key_len = len; + if ((response->public_key = malloc(response->public_key_len)) == NULL) { + skdebug(__func__, "malloc pubkey failed"); + goto out; + } + memcpy(response->public_key, ptr, len); + ret = 0; + out: + if (ret != 0) + free(response->public_key); + return ret; +} + +static int +pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response) +{ + switch(alg) { + case SK_ECDSA: + return pack_public_key_ecdsa(cred, response); + case SK_ED25519: + return pack_public_key_ed25519(cred, response); + default: + return -1; + } +} + +int +sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, + const char *application, uint8_t flags, + struct sk_enroll_response **enroll_reponse) +{ + fido_cred_t *cred = NULL; + fido_dev_t *dev = NULL; + const uint8_t *ptr; + uint8_t user_id[32]; + struct sk_enroll_response *response = NULL; + size_t len; + int cose_alg; + int ret = -1; + int r; + char *device = NULL; + + (void)flags; /* XXX; unused */ +#ifdef SK_DEBUG + fido_init(FIDO_DEBUG); +#endif + if (enroll_reponse == NULL) { + skdebug(__func__, "enroll_reponse == NULL"); + goto out; + } + *enroll_reponse = NULL; + switch(alg) { + case SK_ECDSA: + cose_alg = COSE_ES256; + break; + case SK_ED25519: + cose_alg = COSE_EDDSA; + break; + default: + skdebug(__func__, "unsupported key type %d", alg); + goto out; + } + if ((device = pick_first_device()) == NULL) { + skdebug(__func__, "pick_first_device failed"); + goto out; + } + skdebug(__func__, "using device %s", device); + if ((cred = fido_cred_new()) == NULL) { + skdebug(__func__, "fido_cred_new failed"); + goto out; + } + memset(user_id, 0, sizeof(user_id)); + if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) { + skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_cred_set_clientdata_hash(cred, challenge, + challenge_len)) != FIDO_OK) { + skdebug(__func__, "fido_cred_set_clientdata_hash: %s", + fido_strerr(r)); + goto out; + } + if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), + "openssh", "openssh", NULL)) != FIDO_OK) { + skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_cred_set_rp(cred, application, NULL)) != FIDO_OK) { + skdebug(__func__, "fido_cred_set_rp: %s", fido_strerr(r)); + goto out; + } + if ((dev = fido_dev_new()) == NULL) { + skdebug(__func__, "fido_dev_new failed"); + goto out; + } + if ((r = fido_dev_open(dev, device)) != FIDO_OK) { + skdebug(__func__, "fido_dev_open: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) { + skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r)); + goto out; + } + if (fido_cred_x5c_ptr(cred) != NULL) { + if ((r = fido_cred_verify(cred)) != FIDO_OK) { + skdebug(__func__, "fido_cred_verify: %s", + fido_strerr(r)); + goto out; + } + } else { + skdebug(__func__, "self-attested credential"); + if ((r = fido_cred_verify_self(cred)) != FIDO_OK) { + skdebug(__func__, "fido_cred_verify_self: %s", + fido_strerr(r)); + goto out; + } + } + if ((response = calloc(1, sizeof(*response))) == NULL) { + skdebug(__func__, "calloc response failed"); + goto out; + } + if (pack_public_key(alg, cred, response) != 0) { + skdebug(__func__, "pack_public_key failed"); + goto out; + } + if ((ptr = fido_cred_id_ptr(cred)) != NULL) { + len = fido_cred_id_len(cred); + if ((response->key_handle = calloc(1, len)) == NULL) { + skdebug(__func__, "calloc key handle failed"); + goto out; + } + memcpy(response->key_handle, ptr, len); + response->key_handle_len = len; + } + if ((ptr = fido_cred_sig_ptr(cred)) != NULL) { + len = fido_cred_sig_len(cred); + if ((response->signature = calloc(1, len)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + memcpy(response->signature, ptr, len); + response->signature_len = len; + } + if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { + len = fido_cred_x5c_len(cred); + if ((response->attestation_cert = calloc(1, len)) == NULL) { + skdebug(__func__, "calloc attestation cert failed"); + goto out; + } + memcpy(response->attestation_cert, ptr, len); + response->attestation_cert_len = len; + } + *enroll_reponse = response; + response = NULL; + ret = 0; + out: + free(device); + if (response != NULL) { + free(response->public_key); + free(response->key_handle); + free(response->signature); + free(response->attestation_cert); + free(response); + } + if (dev != NULL) { + fido_dev_close(dev); + fido_dev_free(&dev); + } + if (cred != NULL) { + fido_cred_free(&cred); + } + return ret; +} + +static int +pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) +{ + ECDSA_SIG *sig = NULL; + const BIGNUM *sig_r, *sig_s; + const unsigned char *cp; + size_t sig_len; + int ret = -1; + + cp = fido_assert_sig_ptr(assert, 0); + sig_len = fido_assert_sig_len(assert, 0); + if ((sig = d2i_ECDSA_SIG(NULL, &cp, sig_len)) == NULL) { + skdebug(__func__, "d2i_ECDSA_SIG failed"); + goto out; + } + ECDSA_SIG_get0(sig, &sig_r, &sig_s); + response->sig_r_len = BN_num_bytes(sig_r); + response->sig_s_len = BN_num_bytes(sig_s); + if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL || + (response->sig_s = calloc(1, response->sig_s_len)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + BN_bn2bin(sig_r, response->sig_r); + BN_bn2bin(sig_s, response->sig_s); + ret = 0; + out: + ECDSA_SIG_free(sig); + if (ret != 0) { + free(response->sig_r); + free(response->sig_s); + response->sig_r = NULL; + response->sig_s = NULL; + } + return ret; +} + +static int +pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) +{ + const unsigned char *ptr; + size_t len; + int ret = -1; + + ptr = fido_assert_sig_ptr(assert, 0); + len = fido_assert_sig_len(assert, 0); + if (len != 64) { + skdebug(__func__, "bad length %zu", len); + goto out; + } + response->sig_r_len = len; + if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + memcpy(response->sig_r, ptr, len); + ret = 0; + out: + if (ret != 0) { + free(response->sig_r); + response->sig_r = NULL; + } + return ret; +} + +static int +pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) +{ + switch(alg) { + case SK_ECDSA: + return pack_sig_ecdsa(assert, response); + case SK_ED25519: + return pack_sig_ed25519(assert, response); + default: + return -1; + } +} + +int +sk_sign(int alg, const uint8_t *message, size_t message_len, + const char *application, + const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, struct sk_sign_response **sign_response) +{ + fido_assert_t *assert = NULL; + fido_dev_t *dev = NULL; + struct sk_sign_response *response = NULL; + int ret = -1; + int r; + +#ifdef SK_DEBUG + fido_init(FIDO_DEBUG); +#endif + + if (sign_response == NULL) { + skdebug(__func__, "sign_response == NULL"); + goto out; + } + *sign_response = NULL; + if ((dev = find_device(message, message_len, application, key_handle, + key_handle_len)) == NULL) { + skdebug(__func__, "couldn't find device for key handle"); + goto out; + } + if ((assert = fido_assert_new()) == NULL) { + skdebug(__func__, "fido_assert_new failed"); + goto out; + } + if ((r = fido_assert_set_clientdata_hash(assert, message, + message_len)) != FIDO_OK) { + skdebug(__func__, "fido_assert_set_clientdata_hash: %s", + fido_strerr(r)); + goto out; + } + if ((r = fido_assert_set_rp(assert, application)) != FIDO_OK) { + skdebug(__func__, "fido_assert_set_rp: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_assert_allow_cred(assert, key_handle, + key_handle_len)) != FIDO_OK) { + skdebug(__func__, "fido_assert_allow_cred: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_assert_set_up(assert, + (flags & SK_USER_PRESENCE_REQD) ? + FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) { + skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r)); + goto out; + } + if ((r = fido_dev_get_assert(dev, assert, NULL)) != FIDO_OK) { + skdebug(__func__, "fido_dev_get_assert: %s", fido_strerr(r)); + goto out; + } + if ((response = calloc(1, sizeof(*response))) == NULL) { + skdebug(__func__, "calloc response failed"); + goto out; + } + response->flags = fido_assert_flags(assert, 0); + response->counter = fido_assert_sigcount(assert, 0); + if (pack_sig(alg, assert, response) != 0) { + skdebug(__func__, "pack_sig failed"); + goto out; + } + *sign_response = response; + response = NULL; + ret = 0; + out: + if (response != NULL) { + free(response->sig_r); + free(response->sig_s); + free(response); + } + if (dev != NULL) { + fido_dev_close(dev); + fido_dev_free(&dev); + } + if (assert != NULL) { + fido_assert_free(&assert); + } + return ret; +} +#endif /* ENABLE_SK_INTERNAL */ diff --git a/ssh-add.1 b/ssh-add.1 index 73b91d945..730012cf9 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.72 2019/11/07 08:38:38 naddy Exp $ +.\" $OpenBSD: ssh-add.1,v 1.73 2019/11/14 21:27:30 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 7 2019 $ +.Dd $Mdocdate: November 14 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -136,8 +136,7 @@ Be quiet after a successful operation. .It Fl S Ar provider Specifies a path to a security key provider library that will be used when adding any security key-hosted keys, overriding the default of using the -.Ev SSH_SK_PROVIDER -environment variable to specify a provider. +the internal USB HID support. .It Fl s Ar pkcs11 Add keys provided by the PKCS#11 shared library .Ar pkcs11 . diff --git a/ssh-add.c b/ssh-add.c index 696b156d5..d89ca41c4 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.144 2019/11/12 19:33:08 markus Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.145 2019/11/14 21:27:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -715,6 +715,11 @@ main(int argc, char **argv) goto done; } +#ifdef ENABLE_SK_INTERNAL + if (skprovider == NULL) + skprovider = "internal"; +#endif + argc -= optind; argv += optind; if (Tflag) { diff --git a/ssh-agent.c b/ssh-agent.c index c62c263a6..4b6c44e90 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.242 2019/11/13 07:53:10 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.243 2019/11/14 21:27:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -299,6 +299,13 @@ provider_sign(const char *provider, struct sshkey *key, *sigp = NULL; *lenp = 0; +#ifdef ENABLE_SK_INTERNAL + if (strcasecmp(provider, "internal") == 0) { + return sshsk_sign(provider, key, sigp, lenp, + data, datalen, compat); + } +#endif + helper = getenv("SSH_SK_HELPER"); if (helper == NULL || strlen(helper) == 0) helper = _PATH_SSH_SK_HELPER; diff --git a/ssh-keygen.1 b/ssh-keygen.1 index bdb5015d1..980fdf9f0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.174 2019/11/14 21:27:30 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 7 2019 $ +.Dd $Mdocdate: November 14 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -664,9 +664,8 @@ The maximum is 3. Specify desired generator when testing candidate moduli for DH-GEX. .It Fl w Ar provider Specifies a path to a security key provider library that will be used when -creating any security key-hosted keys, overriding the default of using the -.Ev SSH_SK_PROVIDER -environment variable to specify a provider. +creating any security key-hosted keys, overriding the default of the +internal support for USB HID keys. .It Fl x Ar flags Specifies the security key flags to use when enrolling a security key-hosted key. diff --git a/ssh-keygen.c b/ssh-keygen.c index 46d642e17..4cc70370c 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.363 2019/11/12 22:36:44 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.364 2019/11/14 21:27:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -3071,6 +3071,11 @@ main(int argc, char **argv) } } +#ifdef ENABLE_SK_INTERNAL + if (sk_provider == NULL) + sk_provider = "internal"; +#endif + /* reinit */ log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1); diff --git a/ssh-sk.c b/ssh-sk.c index 754577d9d..591c643d4 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.11 2019/11/13 20:25:45 markus Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.12 2019/11/14 21:27:30 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -60,6 +60,15 @@ struct sshsk_provider { uint8_t flags, struct sk_sign_response **sign_response); }; +/* Built-in version */ +int ssh_sk_enroll(int alg, const uint8_t *challenge, + size_t challenge_len, const char *application, uint8_t flags, + struct sk_enroll_response **enroll_response); +int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, + const char *application, + const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, struct sk_sign_response **sign_response); + static void sshsk_free(struct sshsk_provider *p) { @@ -85,6 +94,16 @@ sshsk_open(const char *path) error("%s: strdup failed", __func__); goto fail; } + /* Skip the rest if we're using the linked in middleware */ + if (strcasecmp(ret->path, "internal") == 0) { +#ifdef ENABLE_SK_INTERNAL + ret->sk_enroll = ssh_sk_enroll; + ret->sk_sign = ssh_sk_sign; +#else + error("internal security key support not enabled"); +#endif + return ret; + } if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { error("Security key provider %s dlopen failed: %s", path, dlerror()); diff --git a/ssh.1 b/ssh.1 index e2666fa56..2268c197f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.404 2019/11/07 08:38:38 naddy Exp $ -.Dd $Mdocdate: November 7 2019 $ +.\" $OpenBSD: ssh.1,v 1.405 2019/11/14 21:27:30 djm Exp $ +.Dd $Mdocdate: November 14 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -1329,12 +1329,6 @@ More permanent VPNs are better provided by tools such as and .Xr isakmpd 8 . .Sh ENVIRONMENT -.Bl -tag -width "SSH_ORIGINAL_COMMAND" -.It Ev SSH_SK_PROVIDER -Specifies the path to a security key provider library used to interact with -hardware security keys. -.Pp -.El .Nm will normally set the following environment variables: .Bl -tag -width "SSH_ORIGINAL_COMMAND" diff --git a/ssh_config.5 b/ssh_config.5 index ad016470c..6983f7af4 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $ -.Dd $Mdocdate: November 7 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.306 2019/11/14 21:27:30 djm Exp $ +.Dd $Mdocdate: November 14 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1449,9 +1449,8 @@ For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm SecurityKeyProvider Specifies a path to a security key provider library that will be used when -loading any security key-hosted keys, overriding the default of using the -.Ev SSH_SK_PROVIDER -environment variable to specify a provider. +loading any security key-hosted keys, overriding the default of using +the build-in support for USB HID keys. .It Cm SendEnv Specifies what variables from the local .Xr environ 7 -- cgit v1.2.3 From 97dc5d1d82865a7d20f1eb193b5c62ce684024e5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Nov 2019 04:50:45 +0000 Subject: upstream: mention ed25519-sk in places where it is accepted; prompted by jmc@ OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442 --- ssh-keygen.1 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 980fdf9f0..e4b5e9d69 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.174 2019/11/14 21:27:30 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.175 2019/11/18 04:50:45 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 14 2019 $ +.Dd $Mdocdate: November 18 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -48,7 +48,7 @@ .Op Fl C Ar comment .Op Fl f Ar output_keyfile .Op Fl m Ar format -.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa +.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl N Ar new_passphrase .Op Fl w Ar provider .Op Fl x Ar flags @@ -251,7 +251,7 @@ should be placed to be activated. The options are as follows: .Bl -tag -width Ds .It Fl A -For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519) +For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. @@ -586,13 +586,14 @@ section for details. Test DH group exchange candidate primes (generated using the .Fl G option) for safety. -.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa +.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa Specifies the type of key to create. The possible values are .Dq dsa , .Dq ecdsa , .Dq ecdsa-sk , .Dq ed25519 , +.Dq ed25519-sk , or .Dq rsa . .Pp -- cgit v1.2.3 From f0edda81c5ebccffcce52b182c3033531a1aab71 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Mon, 18 Nov 2019 23:16:49 +0000 Subject: upstream: more missing mentions of ed25519-sk; ok djm@ OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff --- ssh-add.1 | 9 ++++++--- ssh-keygen.1 | 17 ++++++++++------- ssh-keygen.c | 4 ++-- ssh.1 | 13 ++++++++++--- ssh_config.5 | 6 +++--- 5 files changed, 31 insertions(+), 18 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-add.1 b/ssh-add.1 index 2ecbc9532..432c4c78b 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.74 2019/11/15 11:16:28 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.75 2019/11/18 23:16:49 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 15 2019 $ +.Dd $Mdocdate: November 18 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -64,8 +64,9 @@ When run without arguments, it adds the files .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , +.Pa ~/.ssh/id_ed25519 , and -.Pa ~/.ssh/id_ed25519 . +.Pa ~/.ssh/id_ed25519_sk . After loading a private key, .Nm will try to load corresponding certificate information from the @@ -209,6 +210,8 @@ Contains the ECDSA authentication identity of the user. Contains the security key-hosted ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ed25519 Contains the Ed25519 authentication identity of the user. +.It Pa ~/.ssh/id_ed25519_sk +Contains the security key-hosted Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the RSA authentication identity of the user. .El diff --git a/ssh-keygen.1 b/ssh-keygen.1 index e4b5e9d69..feaa69efe 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.175 2019/11/18 04:50:45 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -191,7 +191,8 @@ key in .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519 +.Pa ~/.ssh/id_ed25519 , +.Pa ~/.ssh/id_ed25519_sk or .Pa ~/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, @@ -285,7 +286,7 @@ flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. -ECDSA-SK and Ed25519 keys have a fixed length and the +ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the .Fl b flag will be ignored. .It Fl C Ar comment @@ -1044,9 +1045,10 @@ hardware security keys. .It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 +.It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA -authentication identity of the user. +Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, +security key-hosted Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -1061,9 +1063,10 @@ will read this file when a login attempt is made. .It Pa ~/.ssh/id_ecdsa.pub .It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub +.It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_rsa.pub -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA -public key for authentication. +Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, +security key-hosted Ed25519 or RSA public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys on all machines diff --git a/ssh-keygen.c b/ssh-keygen.c index c4ce18d94..e869989d7 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.368 2019/11/18 16:10:05 naddy Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.369 2019/11/18 23:16:49 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2735,7 +2735,7 @@ usage(void) { fprintf(stderr, "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" - " [-t dsa | ecdsa | ecdsa-sk | ed25519 | rsa]\n" + " [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" " [-N new_passphrase] [-w provider] [-x flags]\n" " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" " [-P old_passphrase]\n" diff --git a/ssh.1 b/ssh.1 index 2268c197f..1ce0864c7 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.405 2019/11/14 21:27:30 djm Exp $ -.Dd $Mdocdate: November 14 2019 $ +.\" $OpenBSD: ssh.1,v 1.406 2019/11/18 23:16:49 naddy Exp $ +.Dd $Mdocdate: November 18 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -280,7 +280,8 @@ The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519 +.Pa ~/.ssh/id_ed25519 , +.Pa ~/.ssh/id_ed25519_sk and .Pa ~/.ssh/id_rsa . Identity files may also be specified on @@ -901,6 +902,8 @@ This stores the private key in (security key-hosted ECDSA), .Pa ~/.ssh/id_ed25519 (Ed25519), +.Pa ~/.ssh/id_ed25519_sk +(security key-hosted Ed25519), or .Pa ~/.ssh/id_rsa (RSA) @@ -913,6 +916,8 @@ and stores the public key in (security key-hosted ECDSA), .Pa ~/.ssh/id_ed25519.pub (Ed25519), +.Pa ~/.ssh/id_ed25519_sk.pub +(security key-hosted Ed25519), or .Pa ~/.ssh/id_rsa.pub (RSA) @@ -1491,6 +1496,7 @@ above. .It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ed25519 +.It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa Contains the private key for authentication. These files @@ -1506,6 +1512,7 @@ sensitive part of this file using AES-128. .It Pa ~/.ssh/id_ecdsa.pub .It Pa ~/.ssh/id_ecdsa_sk.pub .It Pa ~/.ssh/id_ed25519.pub +.It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_rsa.pub Contains the public key for authentication. These files are not diff --git a/ssh_config.5 b/ssh_config.5 index 1f3c3413f..1c0663d81 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.307 2019/11/18 04:55:02 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.308 2019/11/18 23:16:49 naddy Exp $ .Dd $Mdocdate: November 18 2019 $ .Dt SSH_CONFIG 5 .Os @@ -931,8 +931,8 @@ The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa_sk , -.Pa ~/.ssh/id_ed25519_sk , -.Pa ~/.ssh/id_ed25519 +.Pa ~/.ssh/id_ed25519 , +.Pa ~/.ssh/id_ed25519_sk and .Pa ~/.ssh/id_rsa . Additionally, any identities represented by the authentication agent -- cgit v1.2.3 From 2e71263b80fec7ad977e098004fef7d122169d40 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 25 Nov 2019 00:54:23 +0000 Subject: upstream: add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e --- auth-options.c | 38 ++++++++++++++++++++++++++------------ auth-options.h | 5 ++++- auth.c | 7 ++++--- auth2-pubkey.c | 5 +++-- monitor.c | 5 +++-- ssh-keygen.1 | 12 ++++++++++-- ssh-keygen.c | 25 +++++++++++++++++-------- sshd.8 | 13 +++++++++++-- 8 files changed, 78 insertions(+), 32 deletions(-) (limited to 'ssh-keygen.1') diff --git a/auth-options.c b/auth-options.c index 90b0d7f25..2d200944c 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, name, sshbuf_len(data)); found = 0; if ((which & OPTIONS_EXTENSIONS) != 0) { - if (strcmp(name, "permit-X11-forwarding") == 0) { + if (strcmp(name, "no-touch-required") == 0) { + opts->no_require_user_presence = 1; + found = 1; + } else if (strcmp(name, "permit-X11-forwarding") == 0) { opts->permit_x11_forwarding_flag = 1; found = 1; } else if (strcmp(name, @@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) ret->permit_agent_forwarding_flag = r == 1; } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { ret->permit_x11_forwarding_flag = r == 1; + } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { + ret->no_require_user_presence = r != 1; /* NB. flip */ } else if ((r = opt_flag("pty", 1, &opts)) != -1) { ret->permit_pty_flag = r == 1; } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { @@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary, goto alloc_fail; } - /* Flags are logical-AND (i.e. must be set in both for permission) */ -#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1) - OPTFLAG(permit_port_forwarding_flag); - OPTFLAG(permit_agent_forwarding_flag); - OPTFLAG(permit_x11_forwarding_flag); - OPTFLAG(permit_pty_flag); - OPTFLAG(permit_user_rc); -#undef OPTFLAG +#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) + /* Permissive flags are logical-AND (i.e. must be set in both) */ + OPTFLAG_AND(permit_port_forwarding_flag); + OPTFLAG_AND(permit_agent_forwarding_flag); + OPTFLAG_AND(permit_x11_forwarding_flag); + OPTFLAG_AND(permit_pty_flag); + OPTFLAG_AND(permit_user_rc); + OPTFLAG_AND(no_require_user_presence); +#undef OPTFLAG_AND /* Earliest expiry time should win */ if (primary->valid_before != 0) @@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig) OPTSCALAR(cert_authority); OPTSCALAR(force_tun_device); OPTSCALAR(valid_before); + OPTSCALAR(no_require_user_presence); #undef OPTSCALAR #define OPTSTRING(x) \ do { \ @@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, { int r = SSH_ERR_INTERNAL_ERROR; - /* Flag and simple integer options */ + /* Flag options */ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || @@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || (r = sshbuf_put_u8(m, opts->restricted)) != 0 || (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || - (r = sshbuf_put_u64(m, opts->valid_before)) != 0) + (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) + return r; + + /* Simple integer options */ + if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0) return r; /* tunnel number can be negative to indicate "unset" */ @@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) if ((opts = calloc(1, sizeof(*opts))) == NULL) return SSH_ERR_ALLOC_FAIL; + /* Flag options */ #define OPT_FLAG(x) \ do { \ if ((r = sshbuf_get_u8(m, &f)) != 0) \ @@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) OPT_FLAG(permit_user_rc); OPT_FLAG(restricted); OPT_FLAG(cert_authority); + OPT_FLAG(no_require_user_presence); #undef OPT_FLAG + /* Simple integer options */ if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) goto out; diff --git a/auth-options.h b/auth-options.h index 14cbfa49d..d96ffedee 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.28 2019/07/09 04:15:00 djm Exp $ */ +/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller @@ -68,6 +68,9 @@ struct sshauthopt { */ char *required_from_host_cert; char *required_from_host_keys; + + /* Key requires user presence asserted */ + int no_require_user_presence; }; struct sshauthopt *sshauthopt_new(void); diff --git a/auth.c b/auth.c index b092f212c..0a46e1d8a 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.142 2019/10/16 06:05:39 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.143 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -1005,7 +1005,7 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", @@ -1018,7 +1018,8 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) opts->force_tun_device == -1 ? "" : " tun=", opts->force_tun_device == -1 ? "" : buf, opts->permit_user_rc ? " user-rc" : "", - opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); + opts->permit_x11_forwarding_flag ? " x11-forwarding" : "", + opts->no_require_user_presence ? " no-touch-required" : ""); debug("%s: %s", loc, msg); if (do_remote) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0ef982a48..b656b1f8c 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.97 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -225,7 +225,8 @@ userauth_pubkey(struct ssh *ssh) __func__, sig_details->sk_counter, sig_details->sk_flags); req_presence = (options.pubkey_auth_options & - PUBKEYAUTH_TOUCH_REQUIRED); + PUBKEYAUTH_TOUCH_REQUIRED) || + !authopts->no_require_user_presence; if (req_presence && (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { error("public key %s signature for %s%s from " diff --git a/monitor.c b/monitor.c index 9b171c447..d4be7409e 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.203 2019/11/25 00:52:46 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.204 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1440,7 +1440,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) if (ret == 0 && key_blobtype == MM_USERKEY && sig_details != NULL) { req_presence = (options.pubkey_auth_options & - PUBKEYAUTH_TOUCH_REQUIRED); + PUBKEYAUTH_TOUCH_REQUIRED) || + !key_opts->no_require_user_presence; if (req_presence && (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { error("public key %s %s signature for %s%s from %.128s " diff --git a/ssh-keygen.1 b/ssh-keygen.1 index feaa69efe..06aead348 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 18 2019 $ +.Dd $Mdocdate: November 25 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -534,6 +534,14 @@ by .It Ic permit-X11-forwarding Allows X11 forwarding. .Pp +.It Ic no-touch-required +Do not require signatures made using this key require demonstration +of user presence (e.g. by having the user touch the key). +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . +.Pp .It Ic source-address Ns = Ns Ar address_list Restrict the source addresses from which the certificate is considered valid. The diff --git a/ssh-keygen.c b/ssh-keygen.c index 08dd7cb8a..16d196fc8 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.370 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -120,11 +120,12 @@ static u_int64_t cert_valid_from = 0; static u_int64_t cert_valid_to = ~0ULL; /* Certificate options */ -#define CERTOPT_X_FWD (1) -#define CERTOPT_AGENT_FWD (1<<1) -#define CERTOPT_PORT_FWD (1<<2) -#define CERTOPT_PTY (1<<3) -#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_X_FWD (1) +#define CERTOPT_AGENT_FWD (1<<1) +#define CERTOPT_PORT_FWD (1<<2) +#define CERTOPT_PTY (1<<3) +#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_NO_REQUIRE_USER_PRESENCE (1<<5) #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) static u_int32_t certflags_flags = CERTOPT_DEFAULT; @@ -1665,6 +1666,9 @@ prepare_options_buf(struct sshbuf *c, int which) if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); + if ((which & OPTIONS_CRITICAL) != 0 && + (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) + add_flag_option(c, "no-touch-required"); if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); @@ -1967,6 +1971,10 @@ add_cert_option(char *opt) certflags_flags &= ~CERTOPT_USER_RC; else if (strcasecmp(opt, "permit-user-rc") == 0) certflags_flags |= CERTOPT_USER_RC; + else if (strcasecmp(opt, "touch-required") == 0) + certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE; + else if (strcasecmp(opt, "no-touch-required") == 0) + certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE; else if (strncasecmp(opt, "force-command=", 14) == 0) { val = opt + 14; if (*val == '\0') @@ -2020,9 +2028,10 @@ show_options(struct sshbuf *optbuf, int in_critical) strcmp(name, "permit-agent-forwarding") == 0 || strcmp(name, "permit-port-forwarding") == 0 || strcmp(name, "permit-pty") == 0 || - strcmp(name, "permit-user-rc") == 0)) + strcmp(name, "permit-user-rc") == 0 || + strcmp(name, "no-touch-required") == 0)) { printf("\n"); - else if (in_critical && + } else if (in_critical && (strcmp(name, "force-command") == 0 || strcmp(name, "source-address") == 0)) { if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) diff --git a/sshd.8 b/sshd.8 index 042610a03..b32da282f 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $ -.Dd $Mdocdate: November 18 2019 $ +.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $ +.Dd $Mdocdate: November 25 2019 $ .Dt SSHD 8 .Os .Sh NAME @@ -627,6 +627,13 @@ option. Permits tty allocation previously disabled by the .Cm restrict option. +.It Cm no-touch-required +Do not require demonstration of user presence +for signatures made using this key. +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . .It Cm restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation @@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== user@example.net restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== user@example.net +no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== +user@example.net .Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The -- cgit v1.2.3 From daeaf4136927c2a82af1399022103d67ff03f74a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 25 Nov 2019 00:55:58 +0000 Subject: upstream: allow "ssh-keygen -x no-touch-required" when generating a security key keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@ OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd --- ssh-keygen.1 | 11 ++++++++++- ssh-keygen.c | 28 +++++++++++++++------------- 2 files changed, 25 insertions(+), 14 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 06aead348..837238e4e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.178 2019/11/25 00:55:58 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -679,6 +679,15 @@ internal support for USB HID keys. .It Fl x Ar flags Specifies the security key flags to use when enrolling a security key-hosted key. +Flags may be specified by name or directly as a hexadecimal value. +Only one named flag is supported at present: +.Cm no-touch-required , +which indicates that the generated private key should not require touch +events (user presence) when making signatures. +Note that +.Xr sshd 8 +will refuse such signatures by default, unless overridden via +an authorized_keys option. .It Fl y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. diff --git a/ssh-keygen.c b/ssh-keygen.c index 16d196fc8..e939c5b57 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2810,6 +2810,7 @@ main(int argc, char **argv) unsigned long long ull, cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL; u_int32_t bits = 0; + uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; FILE *f; const char *errstr; int log_level = SYSLOG_LEVEL_INFO; @@ -2822,9 +2823,6 @@ main(int argc, char **argv) unsigned long start_lineno = 0, lines_to_process = 0; BIGNUM *start = NULL; #endif -#ifdef ENABLE_SK - uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; -#endif extern int optind; extern char *optarg; @@ -3015,15 +3013,19 @@ main(int argc, char **argv) case 'x': if (*optarg == '\0') fatal("Missing security key flags"); - ull = strtoull(optarg, &ep, 0); - if (*ep != '\0') - fatal("Security key flags \"%s\" is not a " - "number", optarg); - if (ull > 0xff) - fatal("Invalid security key flags 0x%llx", ull); -#ifdef ENABLE_SK - sk_flags = (uint8_t)ull; -#endif + if (strcasecmp(optarg, "no-touch-required") == 0) + sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; + else { + ull = strtoull(optarg, &ep, 0); + if (*ep != '\0') + fatal("Security key flags \"%s\" is " + "not a number", optarg); + if (ull > 0xff) { + fatal("Invalid security key " + "flags 0x%llx", ull); + } + sk_flags = (uint8_t)ull; + } break; case 'z': errno = 0; -- cgit v1.2.3 From 483cc723d1ff3b7fdafc6239348040a608ebc78d Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Sat, 30 Nov 2019 07:07:59 +0000 Subject: upstream: tweak the Nd lines for a bit of consistency; ok markus OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16 --- scp.1 | 6 +++--- sftp-server.8 | 6 +++--- sftp.1 | 6 +++--- ssh-add.1 | 6 +++--- ssh-agent.1 | 6 +++--- ssh-keygen.1 | 6 +++--- ssh-keyscan.1 | 6 +++--- ssh-keysign.8 | 6 +++--- ssh-pkcs11-helper.8 | 6 +++--- ssh-sk-helper.8 | 6 +++--- ssh.1 | 6 +++--- ssh_config.5 | 6 +++--- sshd.8 | 6 +++--- sshd_config.5 | 6 +++--- 14 files changed, 42 insertions(+), 42 deletions(-) (limited to 'ssh-keygen.1') diff --git a/scp.1 b/scp.1 index dee7fcead..9c3a85366 100644 --- a/scp.1 +++ b/scp.1 @@ -8,14 +8,14 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.86 2019/06/12 11:31:50 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.87 2019/11/30 07:07:59 jmc Exp $ .\" -.Dd $Mdocdate: June 12 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SCP 1 .Os .Sh NAME .Nm scp -.Nd secure copy (remote file copy program) +.Nd OpenSSH secure file copy .Sh SYNOPSIS .Nm scp .Op Fl 346BCpqrTv diff --git a/sftp-server.8 b/sftp-server.8 index c117398e8..4a55dab26 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.27 2014/12/11 04:16:14 djm Exp $ +.\" $OpenBSD: sftp-server.8,v 1.28 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,12 +22,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2014 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SFTP-SERVER 8 .Os .Sh NAME .Nm sftp-server -.Nd SFTP server subsystem +.Nd OpenSSH SFTP server subsystem .Sh SYNOPSIS .Nm sftp-server .Bk -words diff --git a/sftp.1 b/sftp.1 index a52c1cff3..6d69472e1 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.127 2019/06/19 20:12:44 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.128 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,12 +22,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 19 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SFTP 1 .Os .Sh NAME .Nm sftp -.Nd secure file transfer program +.Nd OpenSSH secure file transfer .Sh SYNOPSIS .Nm sftp .Op Fl 46aCfpqrv diff --git a/ssh-add.1 b/ssh-add.1 index 432c4c78b..1832ae66d 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.75 2019/11/18 23:16:49 naddy Exp $ +.\" $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,12 +35,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 18 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME .Nm ssh-add -.Nd adds private key identities to the authentication agent +.Nd adds private key identities to the OpenSSH authentication agent .Sh SYNOPSIS .Nm ssh-add .Op Fl cDdkLlqvXx diff --git a/ssh-agent.1 b/ssh-agent.1 index 2a1268af7..a3f63467c 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.68 2019/11/28 12:23:25 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,12 +34,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 28 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-AGENT 1 .Os .Sh NAME .Nm ssh-agent -.Nd authentication agent +.Nd OpenSSH authentication agent .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 837238e4e..1b77bdf6d 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.178 2019/11/25 00:55:58 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,12 +35,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 25 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME .Nm ssh-keygen -.Nd authentication key generation, management and conversion +.Nd OpenSSH authentication key utility .Sh SYNOPSIS .Nm ssh-keygen .Op Fl q diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index f3d7a4078..f9df75d42 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.44 2018/03/05 07:03:18 jmc Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.45 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,12 +6,12 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: March 5 2018 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME .Nm ssh-keyscan -.Nd gather SSH public keys +.Nd gather SSH public keys from servers .Sh SYNOPSIS .Nm ssh-keyscan .Op Fl 46cDHv diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 19b0dbc53..73b62397c 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.15 2016/02/17 07:38:19 jmc Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,12 +22,12 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 17 2016 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME .Nm ssh-keysign -.Nd ssh helper program for host-based authentication +.Nd OpenSSH helper for host-based authentication .Sh SYNOPSIS .Nm .Sh DESCRIPTION diff --git a/ssh-pkcs11-helper.8 b/ssh-pkcs11-helper.8 index ba5c30fa0..6a592b1f3 100644 --- a/ssh-pkcs11-helper.8 +++ b/ssh-pkcs11-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.5 2019/01/21 12:53:35 djm Exp $ +.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.6 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,12 +14,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 21 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-PKCS11-HELPER 8 .Os .Sh NAME .Nm ssh-pkcs11-helper -.Nd ssh-agent helper program for PKCS#11 support +.Nd OpenSSH helper for PKCS#11 support .Sh SYNOPSIS .Nm .Op Fl v diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8 index 9248badc9..9a518fba9 100644 --- a/ssh-sk-helper.8 +++ b/ssh-sk-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-sk-helper.8,v 1.1 2019/11/07 08:38:38 naddy Exp $ +.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,12 +14,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 7 2019 $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH-SK-HELPER 8 .Os .Sh NAME .Nm ssh-sk-helper -.Nd ssh-agent helper program for security key support +.Nd OpenSSH helper for security key support .Sh SYNOPSIS .Nm .Op Fl v diff --git a/ssh.1 b/ssh.1 index b96298ebd..8b4b79e19 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,13 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.407 2019/11/28 12:24:31 jmc Exp $ -.Dd $Mdocdate: November 28 2019 $ +.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH 1 .Os .Sh NAME .Nm ssh -.Nd OpenSSH SSH client (remote login program) +.Nd OpenSSH remote login client .Sh SYNOPSIS .Nm ssh .Op Fl 46AaCfGgKkMNnqsTtVvXxYy diff --git a/ssh_config.5 b/ssh_config.5 index f0c242a24..93029031a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,13 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.309 2019/11/18 23:17:48 naddy Exp $ -.Dd $Mdocdate: November 18 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.310 2019/11/30 07:07:59 jmc Exp $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME .Nm ssh_config -.Nd OpenSSH SSH client configuration files +.Nd OpenSSH client configuration file .Sh DESCRIPTION .Xr ssh 1 obtains configuration data from the following sources in diff --git a/sshd.8 b/sshd.8 index b32da282f..681f65714 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,13 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $ -.Dd $Mdocdate: November 25 2019 $ +.\" $OpenBSD: sshd.8,v 1.308 2019/11/30 07:07:59 jmc Exp $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSHD 8 .Os .Sh NAME .Nm sshd -.Nd OpenSSH SSH daemon +.Nd OpenSSH daemon .Sh SYNOPSIS .Nm sshd .Bk -words diff --git a/sshd_config.5 b/sshd_config.5 index b896e73f9..8bfb3b6c8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,13 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.294 2019/11/26 22:42:26 jmc Exp $ -.Dd $Mdocdate: November 26 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $ +.Dd $Mdocdate: November 30 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME .Nm sshd_config -.Nd OpenSSH SSH daemon configuration file +.Nd OpenSSH daemon configuration file .Sh DESCRIPTION .Xr sshd 8 reads configuration data from -- cgit v1.2.3 From 141df487ba699cfd1ec3dcd98186e7c956e99024 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Sat, 21 Dec 2019 20:22:34 +0000 Subject: upstream: Replace the term "security key" with "(FIDO) authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f --- ssh-add.1 | 21 ++++++++------------- ssh-agent.1 | 8 ++++---- ssh-keygen.1 | 25 ++++++++++++------------- ssh-sk-helper.8 | 8 ++++---- ssh.1 | 12 ++++++------ ssh_config.5 | 12 ++++++------ sshd.8 | 6 +++--- sshd_config.5 | 18 +++++++++--------- 8 files changed, 52 insertions(+), 58 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-add.1 b/ssh-add.1 index 1832ae66d..45af7357a 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -135,8 +135,8 @@ Lists fingerprints of all identities currently represented by the agent. .It Fl q Be quiet after a successful operation. .It Fl S Ar provider -Specifies a path to a security key provider library that will be used when -adding any security key-hosted keys, overriding the default of using the +Specifies a path to a library that will be used when adding +FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. .It Fl s Ar pkcs11 Add keys provided by the PKCS#11 shared library @@ -197,23 +197,18 @@ Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. .It Ev SSH_SK_PROVIDER -Specifies the path to a security key provider library used to interact with -hardware security keys. +Specifies the path to a library used to interact with FIDO authenticators. .El .Sh FILES -.Bl -tag -width Ds +.Bl -tag -width Ds -compact .It Pa ~/.ssh/id_dsa -Contains the DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa -Contains the ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa_sk -Contains the security key-hosted ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ed25519 -Contains the Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_ed25519_sk -Contains the security key-hosted Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa -Contains the RSA authentication identity of the user. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA authentication identity of the user. .El .Pp Identity files should not be readable by anyone but the user. diff --git a/ssh-agent.1 b/ssh-agent.1 index a3f63467c..fff0db6bc 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.70 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -98,8 +98,8 @@ Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). .It Fl P Ar provider_whitelist -Specify a pattern-list of acceptable paths for PKCS#11 and security key shared -libraries that may be used with the +Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator +shared libraries that may be used with the .Fl S or .Fl s diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1b77bdf6d..e48597388 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -537,7 +537,7 @@ Allows X11 forwarding. .It Ic no-touch-required Do not require signatures made using this key require demonstration of user presence (e.g. by having the user touch the key). -This option only makes sense for the Security Key algorithms +This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . @@ -673,11 +673,11 @@ The maximum is 3. .It Fl W Ar generator Specify desired generator when testing candidate moduli for DH-GEX. .It Fl w Ar provider -Specifies a path to a security key provider library that will be used when -creating any security key-hosted keys, overriding the default of the -internal support for USB HID keys. +Specifies a path to a library that will be used when creating +FIDO authenticator-hosted keys, overriding the default of using +the internal USB HID support. .It Fl x Ar flags -Specifies the security key flags to use when enrolling a security key-hosted +Specifies the authenticator flags to use when enrolling an authenticator-hosted key. Flags may be specified by name or directly as a hexadecimal value. Only one named flag is supported at present: @@ -1053,8 +1053,7 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41... .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev SSH_SK_PROVIDER -Specifies the path to a security key provider library used to interact with -hardware security keys. +Specifies the path to a library used to interact with FIDO authenticators. .El .Sh FILES .Bl -tag -width Ds -compact @@ -1064,8 +1063,8 @@ hardware security keys. .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, -security key-hosted Ed25519 or RSA authentication identity of the user. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -1082,8 +1081,8 @@ will read this file when a login attempt is made. .It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_rsa.pub -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, -security key-hosted Ed25519 or RSA public key for authentication. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys on all machines diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8 index 9a518fba9..3c53da1ec 100644 --- a/ssh-sk-helper.8 +++ b/ssh-sk-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-sk-helper.8,v 1.3 2019/12/21 20:22:34 naddy Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,12 +14,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-SK-HELPER 8 .Os .Sh NAME .Nm ssh-sk-helper -.Nd OpenSSH helper for security key support +.Nd OpenSSH helper for FIDO authenticator support .Sh SYNOPSIS .Nm .Op Fl v @@ -27,7 +27,7 @@ .Nm is used by .Xr ssh-agent 1 -to access keys provided by a security key. +to access keys provided by a FIDO authenticator. .Pp .Nm is not intended to be invoked by the user, but from diff --git a/ssh.1 b/ssh.1 index 8b4b79e19..971337520 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $ -.Dd $Mdocdate: November 30 2019 $ +.\" $OpenBSD: ssh.1,v 1.409 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -903,11 +903,11 @@ This stores the private key in .Pa ~/.ssh/id_ecdsa (ECDSA), .Pa ~/.ssh/id_ecdsa_sk -(security key-hosted ECDSA), +(authenticator-hosted ECDSA), .Pa ~/.ssh/id_ed25519 (Ed25519), .Pa ~/.ssh/id_ed25519_sk -(security key-hosted Ed25519), +(authenticator-hosted Ed25519), or .Pa ~/.ssh/id_rsa (RSA) @@ -917,11 +917,11 @@ and stores the public key in .Pa ~/.ssh/id_ecdsa.pub (ECDSA), .Pa ~/.ssh/id_ecdsa_sk.pub -(security key-hosted ECDSA), +(authenticator-hosted ECDSA), .Pa ~/.ssh/id_ed25519.pub (Ed25519), .Pa ~/.ssh/id_ed25519_sk.pub -(security key-hosted Ed25519), +(authenticator-hosted Ed25519), or .Pa ~/.ssh/id_rsa.pub (RSA) diff --git a/ssh_config.5 b/ssh_config.5 index 186e07617..d3d45b53a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.312 2019/12/21 02:19:13 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.313 2019/12/21 20:22:34 naddy Exp $ .Dd $Mdocdate: December 21 2019 $ .Dt SSH_CONFIG 5 .Os @@ -936,8 +936,8 @@ or the tokens described in the .Sx TOKENS section. .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA, -Ed25519 or RSA authentication identity is read. +Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, +Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , @@ -1462,9 +1462,9 @@ an OpenSSH Key Revocation List (KRL) as generated by For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm SecurityKeyProvider -Specifies a path to a security key provider library that will be used when -loading any security key-hosted keys, overriding the default of using -the built-in support for USB HID keys. +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .Pp If the specified value begins with a .Sq $ diff --git a/sshd.8 b/sshd.8 index dc11a0d00..b7042cb5e 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.310 2019/12/19 03:50:01 dtucker Exp $ -.Dd $Mdocdate: December 19 2019 $ +.\" $OpenBSD: sshd.8,v 1.311 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSHD 8 .Os .Sh NAME @@ -627,7 +627,7 @@ option. .It Cm no-touch-required Do not require demonstration of user presence for signatures made using this key. -This option only makes sense for the Security Key algorithms +This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . diff --git a/sshd_config.5 b/sshd_config.5 index 222193170..76ec69baf 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $ -.Dd $Mdocdate: December 19 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.297 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1462,20 +1462,20 @@ and .Pp The .Cm touch-required -option causes public key authentication using a security key algorithm +option causes public key authentication using a FIDO authenticator algorithm (i.e.\& .Cm ecdsa-sk or .Cm ed25519-sk ) to always require the signature to attest that a physically present user -explicitly confirmed the authentication (usually by touching the security key). +explicitly confirmed the authentication (usually by touching the authenticator). By default, .Xr sshd 8 -requires key touch unless overridden with an authorized_keys option. +requires user presence unless overridden with an authorized_keys option. The .Cm touch-required flag disables this override. -This option has no effect for other, non-security key, public key types. +This option has no effect for other, non-authenticator public key types. .It Cm PubkeyAuthentication Specifies whether public key authentication is allowed. The default is @@ -1527,9 +1527,9 @@ If the routing domain is set to .Cm \&%D , then the domain in which the incoming connection was received will be applied. .It Cm SecurityKeyProvider -Specifies a path to a security key provider library that will be used when -loading any security key-hosted keys, overriding the default of using -the built-in support for USB HID keys. +Specifies a path to a library that will be used when loading +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .It Cm SetEnv Specifies one or more environment variables to set in child sessions started by -- cgit v1.2.3 From 5b6c954751dd3677466cda7adb92e4f05446c96c Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Fri, 27 Dec 2019 08:25:07 +0000 Subject: upstream: in the options list, sort -Y and -y; OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa --- ssh-keygen.1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index e48597388..8d62bc72e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.181 2019/12/27 08:25:07 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 21 2019 $ +.Dd $Mdocdate: December 27 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -688,9 +688,6 @@ Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. -.It Fl y -This option will read a private -OpenSSH format file and print an OpenSSH public key to stdout. .It Fl Y Cm sign Cryptographically sign a file or some data using a SSH key. When signing, @@ -763,6 +760,9 @@ flag. Successful testing of the signature is signalled by .Nm returning a zero exit status. +.It Fl y +This option will read a private +OpenSSH format file and print an OpenSSH public key to stdout. .It Fl z Ar serial_number Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA. -- cgit v1.2.3 From 20ccd854245c598e2b47cc9f8d4955d645195055 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Fri, 27 Dec 2019 08:28:44 +0000 Subject: upstream: sort -Y internally in the options list, as is already done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274 --- ssh-keygen.1 | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 8d62bc72e..038e2c578 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.181 2019/12/27 08:25:07 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -688,6 +688,22 @@ Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. +.It Fl Y Cm check-novalidate +Checks that a signature generated using +.Nm +.Fl Y Cm sign +has a valid structure. +This does not validate if a signature comes from an authorized signer. +When testing a signature, +.Nm +accepts a message on standard input and a signature namespace using +.Fl n . +A file containing the corresponding signature must also be supplied using the +.Fl s +flag. +Successful testing of the signature is signalled by +.Nm +returning a zero exit status. .It Fl Y Cm sign Cryptographically sign a file or some data using a SSH key. When signing, @@ -744,22 +760,6 @@ The revocation file may be a KRL or a one-per-line list of public keys. Successful verification by an authorized signer is signalled by .Nm returning a zero exit status. -.It Fl Y Cm check-novalidate -Checks that a signature generated using -.Nm -.Fl Y Cm sign -has a valid structure. -This does not validate if a signature comes from an authorized signer. -When testing a signature, -.Nm -accepts a message on standard input and a signature namespace using -.Fl n . -A file containing the corresponding signature must also be supplied using the -.Fl s -flag. -Successful testing of the signature is signalled by -.Nm -returning a zero exit status. .It Fl y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. -- cgit v1.2.3 From 1e645fe767f27725dc7fd7864526de34683f7daf Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Dec 2019 03:28:41 +0000 Subject: upstream: prepare for use of ssh-keygen -O flag beyond certs Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106 --- ssh-keygen.1 | 188 +++++++++++++++++++++++++++++------------------------------ ssh-keygen.c | 11 +++- 2 files changed, 101 insertions(+), 98 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 038e2c578..67a57b9f7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 27 2019 $ +.Dd $Mdocdate: December 30 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -458,97 +458,10 @@ Please see the section for details. .It Fl O Ar option Specify a certificate option when signing a key. -This option may be specified multiple times. -See also the +See the .Sx CERTIFICATES -section for further details. -.Pp -At present, no standard options are valid for host keys. -The options that are valid for user certificates are: -.Pp -.Bl -tag -width Ds -compact -.It Ic clear -Clear all enabled permissions. -This is useful for clearing the default set of permissions so permissions may -be added individually. -.Pp -.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents -.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate critical option or extension. -The specified -.Ar name -should include a domain suffix, e.g.\& -.Dq name@example.com . -If -.Ar contents -is specified then it is included as the contents of the extension/option -encoded as a string, otherwise the extension/option is created with no -contents (usually indicating a flag). -Extensions may be ignored by a client or server that does not recognise them, -whereas unknown critical options will cause the certificate to be refused. -.Pp -.It Ic force-command Ns = Ns Ar command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.Pp -.It Ic no-agent-forwarding -Disable -.Xr ssh-agent 1 -forwarding (permitted by default). -.Pp -.It Ic no-port-forwarding -Disable port forwarding (permitted by default). -.Pp -.It Ic no-pty -Disable PTY allocation (permitted by default). -.Pp -.It Ic no-user-rc -Disable execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 -(permitted by default). -.Pp -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). -.Pp -.It Ic permit-agent-forwarding -Allows -.Xr ssh-agent 1 -forwarding. -.Pp -.It Ic permit-port-forwarding -Allows port forwarding. -.Pp -.It Ic permit-pty -Allows PTY allocation. -.Pp -.It Ic permit-user-rc -Allows execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 . -.Pp -.It Ic permit-X11-forwarding -Allows X11 forwarding. -.Pp -.It Ic no-touch-required -Do not require signatures made using this key require demonstration -of user presence (e.g. by having the user touch the key). -This option only makes sense for the FIDO authenticator algorithms -.Cm ecdsa-sk -and -.Cm ed25519-sk . -.Pp -.It Ic source-address Ns = Ns Ar address_list -Restrict the source addresses from which the certificate is considered valid. -The -.Ar address_list -is a comma-separated list of one or more address/netmask pairs in CIDR -format. -.El +section for a list of available certificate options. +This option may be specified multiple times. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -899,9 +812,94 @@ be specified through certificate options. A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. -For a list of valid certificate options, see the documentation for the -.Fl O -option above. +.Pp +The options that are valid for user certificates are: +.Pp +.Bl -tag -width Ds -compact +.It Ic clear +Clear all enabled permissions. +This is useful for clearing the default set of permissions so permissions may +be added individually. +.Pp +.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents +.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents +Includes an arbitrary certificate critical option or extension. +The specified +.Ar name +should include a domain suffix, e.g.\& +.Dq name@example.com . +If +.Ar contents +is specified then it is included as the contents of the extension/option +encoded as a string, otherwise the extension/option is created with no +contents (usually indicating a flag). +Extensions may be ignored by a client or server that does not recognise them, +whereas unknown critical options will cause the certificate to be refused. +.Pp +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. +.Pp +.It Ic no-agent-forwarding +Disable +.Xr ssh-agent 1 +forwarding (permitted by default). +.Pp +.It Ic no-port-forwarding +Disable port forwarding (permitted by default). +.Pp +.It Ic no-pty +Disable PTY allocation (permitted by default). +.Pp +.It Ic no-user-rc +Disable execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 +(permitted by default). +.Pp +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). +.Pp +.It Ic permit-agent-forwarding +Allows +.Xr ssh-agent 1 +forwarding. +.Pp +.It Ic permit-port-forwarding +Allows port forwarding. +.Pp +.It Ic permit-pty +Allows PTY allocation. +.Pp +.It Ic permit-user-rc +Allows execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 . +.Pp +.It Ic permit-X11-forwarding +Allows X11 forwarding. +.Pp +.It Ic no-touch-required +Do not require signatures made using this key require demonstration +of user presence (e.g. by having the user touch the key). +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . +.Pp +.It Ic source-address Ns = Ns Ar address_list +Restrict the source addresses from which the certificate is considered valid. +The +.Ar address_list +is a comma-separated list of one or more address/netmask pairs in CIDR +format. +.El +.Pp +At present, no standard options are valid for host keys. .Pp Finally, certificates may be defined with a validity lifetime. The diff --git a/ssh-keygen.c b/ssh-keygen.c index 24e246c0b..43f2e1e82 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.375 2019/12/30 03:28:41 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2820,7 +2820,8 @@ main(int argc, char **argv) int prefer_agent = 0, convert_to = 0, convert_from = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; unsigned long long ull, cert_serial = 0; - char *identity_comment = NULL, *ca_key_path = NULL; + char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; + size_t i, nopts = 0; u_int32_t bits = 0; uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; FILE *f; @@ -2950,7 +2951,9 @@ main(int argc, char **argv) check_krl = 1; break; case 'O': - add_cert_option(optarg); + opts = xrecallocarray(opts, nopts, nopts + 1, + sizeof(*opts)); + opts[nopts++] = xstrdup(optarg); break; case 'Z': openssh_format_cipher = optarg; @@ -3184,6 +3187,8 @@ main(int argc, char **argv) if (ca_key_path != NULL) { if (cert_key_id == NULL) fatal("Must specify key id (-I) when certifying"); + for (i = 0; i < nopts; i++) + add_cert_option(opts[i]); do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial, cert_serial_autoinc, argc, argv); } -- cgit v1.2.3 From 3e60d18fba1b502c21d64fc7e81d80bcd08a2092 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Dec 2019 03:30:09 +0000 Subject: upstream: remove single-letter flags for moduli options Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935 --- ssh-keygen.1 | 142 +++++++++++++++++++--------------- ssh-keygen.c | 249 +++++++++++++++++++++++++++++++++++------------------------ 2 files changed, 228 insertions(+), 163 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 67a57b9f7..9afb92943 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -99,20 +99,14 @@ .Op Fl g .Op Fl f Ar input_keyfile .Nm ssh-keygen -.Fl G Ar output_file -.Op Fl v -.Op Fl b Ar bits -.Op Fl M Ar memory -.Op Fl S Ar start_point +.Fl M Cm generate +.Op Fl O Ar option +.Ar .Nm ssh-keygen +.Fl M Cm screen .Fl f Ar input_file -.Fl T Ar output_file -.Op Fl v -.Op Fl a Ar rounds -.Op Fl J Ar num_lines -.Op Fl j Ar start_line -.Op Fl K Ar checkpt -.Op Fl W Ar generator +.Op Fl O Ar option +.Ar .Nm ssh-keygen .Fl I Ar certificate_identity .Fl s Ar ca_key @@ -268,11 +262,6 @@ When saving a private key, this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen). -.Pp -When screening DH-GEX candidates (using the -.Fl T -command), -this option specifies the number of primality tests to perform. .It Fl B Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits @@ -333,12 +322,6 @@ used in conjunction with the option to print found keys in a hashed format. .It Fl f Ar filename Specifies the filename of the key file. -.It Fl G Ar output_file -Generate candidate primes for DH-GEX. -These primes must be screened for -safety (using the -.Fl T -option) before use. .It Fl g Use generic DNS format when printing fingerprint resource records using the .Fl r @@ -379,24 +362,6 @@ This option allows importing keys from other software, including several commercial SSH implementations. The default import format is .Dq RFC4716 . -.It Fl J Ar num_lines -Exit after screening the specified number of lines -while performing DH candidate screening using the -.Fl T -option. -.It Fl j Ar start_line -Start screening at the specified line number -while performing DH candidate screening using the -.Fl T -option. -.It Fl K Ar checkpt -Write the last line processed to the file -.Ar checkpt -while performing DH candidate screening using the -.Fl T -option. -This will be used to skip lines in the input file that have already been -processed if the job is restarted. .It Fl k Generate a KRL file. In this mode, @@ -419,9 +384,26 @@ If combined with .Fl v , a visual ASCII art representation of the key is supplied with the fingerprint. -.It Fl M Ar memory -Specify the amount of memory to use (in megabytes) when generating -candidate moduli for DH-GEX. +.It Fl M Cm generate +Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for +eventual use by the +.Sq diffie-hellman-group-exchange-* +key exchange methods. +The numbers generated by this operation must be further screened before +use. +See the +.Sx MODULI GENERATION +section for more information. +.It Fl M Cm screen +Screen candidate parameters for Diffie-Hellman Group Exchange. +This will accept a list of candidate numbers and test that they are +safe (Sophie Germain) primes with acceptable group generators. +The results of this operation may be added to the +.Pa /etc/moduli +file. +See the +.Sx MODULI GENERATION +section for more information. .It Fl m Ar key_format Specify a key format for key generation, the .Fl i @@ -457,10 +439,20 @@ Please see the .Sx CERTIFICATES section for details. .It Fl O Ar option -Specify a certificate option when signing a key. -See the +Specify a key/value option. +These are specific to the operation that +.Nm +has been requested to perform. +.Pp +When signing certificates, one of the options listed in the .Sx CERTIFICATES -section for a list of available certificate options. +section may be specified here. +.Pp +When performing moduli generation or screening, one of the options +listed in the +.Sx MODULI GENERATION +section may be specified. +.Pp This option may be specified multiple times. .It Fl P Ar passphrase Provides the (old) passphrase. @@ -489,8 +481,6 @@ option above). Print the SSHFP fingerprint resource record named .Ar hostname for the specified public key file. -.It Fl S Ar start -Specify start point (in hex) when generating candidate moduli for DH-GEX. .It Fl s Ar ca_key Certify (sign) a public key using the specified CA key. Please see the @@ -504,10 +494,6 @@ by key ID or serial number. See the .Sx KEY REVOCATION LISTS section for details. -.It Fl T Ar output_file -Test DH group exchange candidate primes (generated using the -.Fl G -option) for safety. .It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa Specifies the type of key to create. The possible values are @@ -583,8 +569,6 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. -.It Fl W Ar generator -Specify desired generator when testing candidate moduli for DH-GEX. .It Fl w Ar provider Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys, overriding the default of using @@ -701,25 +685,25 @@ These candidate primes are then tested for suitability (a CPU-intensive process). .Pp Generation of primes is performed using the -.Fl G +.Fl M Cm generate option. The desired length of the primes may be specified by the -.Fl b +.Fl O Cm bits option. For example: .Pp -.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 +.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates .Pp By default, the search for primes begins at a random point in the desired length range. This may be overridden using the -.Fl S +.Fl O Cm start option, which specifies a different start point (in hex). .Pp Once a set of candidates have been generated, they must be screened for suitability. This may be performed using the -.Fl T +.Fl M Cm screen option. In this mode .Nm @@ -728,16 +712,16 @@ will read candidates from standard input (or a file specified using the option). For example: .Pp -.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates +.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 .Pp By default, each candidate will be subjected to 100 primality tests. This may be overridden using the -.Fl a +.Fl O Cm prime-tests option. The DH generator value will be chosen automatically for the prime under consideration. If a specific generator is desired, it may be requested using the -.Fl W +.Fl O Cm generator option. Valid generator values are 2, 3, and 5. .Pp @@ -745,6 +729,36 @@ Screened DH groups may be installed in .Pa /etc/moduli . It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. +.Pp +A number of options are available for moduli generation and screening via the +.Fl O +flag: +.Bl -tag -width Ds -compact +.Pp +.It Ic lines Ns = Ns Ar number +Exit after screening the specified number of lines while performing DH +candidate screening. +.Pp +.It Ic start-line Ns = Ns Ar line-number +Start screening at the specified line number while performing DH candidate +screening. +.Pp +.It Ic checkpoint Ns = Ns Ar filename +Write the last line processed to the specified file while performing DH +candidate screening. +This will be used to skip lines in the input file that have already been +processed if the job is restarted. +.Pp +.It Ic memory Ns = Ns Ar mbytes +Specify the amount of memory to use (in megabytes) when generating +candidate moduli for DH-GEX. +.Pp +.It Ic start Ns = Ns Ar hex-value +Specify start point (in hex) when generating candidate moduli for DH-GEX. +.Pp +.It Ic generator Ns = Ns Ar value +Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. +.El .Sh CERTIFICATES .Nm supports signing of keys to produce certificates that may be used for diff --git a/ssh-keygen.c b/ssh-keygen.c index 43f2e1e82..447810fb1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.375 2019/12/30 03:28:41 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -162,10 +162,7 @@ static int private_key_format = SSHKEY_PRIVATE_OPENSSH; /* Cipher for new-format private keys */ static char *openssh_format_cipher = NULL; -/* - * Number of KDF rounds to derive new format keys / - * number of primality trials when screening moduli. - */ +/* Number of KDF rounds to derive new format keys. */ static int rounds = 0; /* argv0 */ @@ -2758,6 +2755,122 @@ done: return ret; } +static void +do_moduli_gen(const char *out_file, char **opts, size_t nopts) +{ +#ifdef WITH_OPENSSL + /* Moduli generation/screening */ + u_int32_t memory = 0; + BIGNUM *start = NULL; + int moduli_bits = 0; + FILE *out; + size_t i; + const char *errstr; + + /* Parse options */ + for (i = 0; i < nopts; i++) { + if (strncmp(opts[i], "memory=", 7) == 0) { + memory = (u_int32_t)strtonum(opts[i]+7, 1, + UINT_MAX, &errstr); + if (errstr) { + fatal("Memory limit is %s: %s", + errstr, opts[i]+7); + } + } else if (strncmp(opts[i], "start=", 6) == 0) { + /* XXX - also compare length against bits */ + if (BN_hex2bn(&start, opts[i]+6) == 0) + fatal("Invalid start point."); + } else if (strncmp(opts[i], "bits=", 5) == 0) { + moduli_bits = (int)strtonum(opts[i]+5, 1, + INT_MAX, &errstr); + if (errstr) { + fatal("Invalid number: %s (%s)", + opts[i]+12, errstr); + } + } else { + fatal("Option \"%s\" is unsupported for moduli " + "generation", opts[i]); + } + } + + if ((out = fopen(out_file, "w")) == NULL) { + fatal("Couldn't open modulus candidate file \"%s\": %s", + out_file, strerror(errno)); + } + setvbuf(out, NULL, _IOLBF, 0); + + if (moduli_bits == 0) + moduli_bits = DEFAULT_BITS; + if (gen_candidates(out, memory, moduli_bits, start) != 0) + fatal("modulus candidate generation failed"); +#else /* WITH_OPENSSL */ + fatal("Moduli generation is not supported"); +#endif /* WITH_OPENSSL */ +} + +static void +do_moduli_screen(const char *out_file, char **opts, size_t nopts) +{ +#ifdef WITH_OPENSSL + /* Moduli generation/screening */ + char *checkpoint = NULL; + u_int32_t generator_wanted = 0; + unsigned long start_lineno = 0, lines_to_process = 0; + int prime_tests = 0; + FILE *out, *in = stdin; + size_t i; + const char *errstr; + + /* Parse options */ + for (i = 0; i < nopts; i++) { + if (strncmp(opts[i], "lines=", 6) == 0) { + lines_to_process = strtoul(opts[i]+6, NULL, 10); + } else if (strncmp(opts[i], "start-line=", 11) == 0) { + start_lineno = strtoul(opts[i]+11, NULL, 10); + } else if (strncmp(opts[i], "checkpoint=", 11) == 0) { + checkpoint = xstrdup(opts[i]+11); + } else if (strncmp(opts[i], "generator=", 10) == 0) { + generator_wanted = (u_int32_t)strtonum( + opts[i]+10, 1, UINT_MAX, &errstr); + if (errstr != NULL) { + fatal("Generator invalid: %s (%s)", + opts[i]+10, errstr); + } + } else if (strncmp(opts[i], "prime-tests=", 12) == 0) { + prime_tests = (int)strtonum(opts[i]+12, 1, + INT_MAX, &errstr); + if (errstr) { + fatal("Invalid number: %s (%s)", + opts[i]+12, errstr); + } + } else { + fatal("Option \"%s\" is unsupported for moduli " + "screening", opts[i]); + } + } + + if (have_identity && strcmp(identity_file, "-") != 0) { + if ((in = fopen(identity_file, "r")) == NULL) { + fatal("Couldn't open modulus candidate " + "file \"%s\": %s", identity_file, + strerror(errno)); + } + } + + if ((out = fopen(out_file, "a")) == NULL) { + fatal("Couldn't open moduli file \"%s\": %s", + out_file, strerror(errno)); + } + setvbuf(out, NULL, _IOLBF, 0); + if (prime_test(in, out, prime_tests == 0 ? 100 : prime_tests, + generator_wanted, checkpoint, + start_lineno, lines_to_process) != 0) + fatal("modulus screening failed"); +#else /* WITH_OPENSSL */ + fatal("Moduli screening is not supported"); +#endif /* WITH_OPENSSL */ +} + static void usage(void) { @@ -2783,9 +2896,8 @@ usage(void) " ssh-keygen -R hostname [-f known_hosts_file]\n" " ssh-keygen -r hostname [-g] [-f input_keyfile]\n" #ifdef WITH_OPENSSL - " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" - " ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines]\n" - " [-j start_line] [-K checkpt] [-W generator]\n" + " ssh-keygen -M generate [-O option] output\n" + " ssh-keygen -M screen [-f input_file] [-O option] [-a rounds] output_file\n" #endif " ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" " [-n principals] [-O option] [-V validity_interval]\n" @@ -2819,6 +2931,7 @@ main(int argc, char **argv) int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; int prefer_agent = 0, convert_to = 0, convert_from = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; + int do_gen_candidates = 0, do_screen_candidates = 0; unsigned long long ull, cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; size_t i, nopts = 0; @@ -2828,14 +2941,6 @@ main(int argc, char **argv) const char *errstr; int log_level = SYSLOG_LEVEL_INFO; char *sign_op = NULL; -#ifdef WITH_OPENSSL - /* Moduli generation/screening */ - char out_file[PATH_MAX], *checkpoint = NULL; - u_int32_t memory = 0, generator_wanted = 0; - int do_gen_candidates = 0, do_screen_candidates = 0; - unsigned long start_lineno = 0, lines_to_process = 0; - BIGNUM *start = NULL; -#endif extern int optind; extern char *optarg; @@ -2860,10 +2965,10 @@ main(int argc, char **argv) sk_provider = getenv("SSH_SK_PROVIDER"); - /* Remaining character: d */ + /* Remaining characters: dGjJKSTW */ while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" - "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Y:Z:" - "a:b:f:g:j:m:n:r:s:t:w:x:z:")) != -1) { + "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" + "a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -3053,50 +3158,14 @@ main(int argc, char **argv) (errno == ERANGE && cert_serial == ULLONG_MAX)) fatal("Invalid serial number \"%s\"", optarg); break; -#ifdef WITH_OPENSSL - /* Moduli generation/screening */ - case 'G': - do_gen_candidates = 1; - if (strlcpy(out_file, optarg, sizeof(out_file)) >= - sizeof(out_file)) - fatal("Output filename too long"); - break; - case 'J': - lines_to_process = strtoul(optarg, NULL, 10); - break; - case 'j': - start_lineno = strtoul(optarg, NULL, 10); - break; - case 'K': - if (strlen(optarg) >= PATH_MAX) - fatal("Checkpoint filename too long"); - checkpoint = xstrdup(optarg); - break; case 'M': - memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, - &errstr); - if (errstr) - fatal("Memory limit is %s: %s", errstr, optarg); - break; - case 'S': - /* XXX - also compare length against bits */ - if (BN_hex2bn(&start, optarg) == 0) - fatal("Invalid start point."); - break; - case 'T': - do_screen_candidates = 1; - if (strlcpy(out_file, optarg, sizeof(out_file)) >= - sizeof(out_file)) - fatal("Output filename too long"); - break; - case 'W': - generator_wanted = (u_int32_t)strtonum(optarg, 1, - UINT_MAX, &errstr); - if (errstr != NULL) - fatal("Desired generator invalid: %s (%s)", - optarg, errstr); + if (strcmp(optarg, "generate") == 0) + do_gen_candidates = 1; + else if (strcmp(optarg, "screen") == 0) + do_screen_candidates = 1; + else + fatal("Unsupported moduli option %s", optarg); break; -#endif /* WITH_OPENSSL */ case '?': default: usage(); @@ -3163,7 +3232,8 @@ main(int argc, char **argv) error("Too few arguments."); usage(); } - } else if (argc > 0 && !gen_krl && !check_krl) { + } else if (argc > 0 && !gen_krl && !check_krl && + !do_gen_candidates && !do_screen_candidates) { error("Too many arguments."); usage(); } @@ -3176,13 +3246,21 @@ main(int argc, char **argv) usage(); } if (gen_krl) { +#ifdef WITH_OPENSSL do_gen_krl(pw, update_krl, ca_key_path, cert_serial, identity_comment, argc, argv); return (0); +#else + fatal("KRL generation not supported"); +#endif } if (check_krl) { +#ifdef WITH_OPENSSL do_check_krl(pw, argc, argv); return (0); +#else + fatal("KRL checking not supported"); +#endif } if (ca_key_path != NULL) { if (cert_key_id == NULL) @@ -3249,47 +3327,20 @@ main(int argc, char **argv) } } -#ifdef WITH_OPENSSL + if (do_gen_candidates || do_screen_candidates) { + if (argc <= 0) + fatal("No output file specified"); + else if (argc > 1) + fatal("Too many output files specified"); + } if (do_gen_candidates) { - FILE *out = fopen(out_file, "w"); - - if (out == NULL) { - error("Couldn't open modulus candidate file \"%s\": %s", - out_file, strerror(errno)); - return (1); - } - if (bits == 0) - bits = DEFAULT_BITS; - if (gen_candidates(out, memory, bits, start) != 0) - fatal("modulus candidate generation failed"); - - return (0); + do_moduli_gen(argv[0], opts, nopts); + return 0; } - if (do_screen_candidates) { - FILE *in; - FILE *out = fopen(out_file, "a"); - - if (have_identity && strcmp(identity_file, "-") != 0) { - if ((in = fopen(identity_file, "r")) == NULL) { - fatal("Couldn't open modulus candidate " - "file \"%s\": %s", identity_file, - strerror(errno)); - } - } else - in = stdin; - - if (out == NULL) { - fatal("Couldn't open moduli file \"%s\": %s", - out_file, strerror(errno)); - } - if (prime_test(in, out, rounds == 0 ? 100 : rounds, - generator_wanted, checkpoint, - start_lineno, lines_to_process) != 0) - fatal("modulus screening failed"); - return (0); + do_moduli_screen(argv[0], opts, nopts); + return 0; } -#endif if (gen_all_hostkeys) { do_gen_all_hostkeys(pw); -- cgit v1.2.3 From 3093d12ff80927cf45da08d9f262a26680fb14ee Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Dec 2019 09:49:52 +0000 Subject: upstream: Remove the -x option currently used for FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1 --- ssh-keygen.1 | 39 ++++++++++++++++++++++++--------------- ssh-keygen.c | 45 ++++++++++++++++++++++----------------------- 2 files changed, 46 insertions(+), 38 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9afb92943..1f4edace5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -48,10 +48,10 @@ .Op Fl C Ar comment .Op Fl f Ar output_keyfile .Op Fl m Ar format +.Op Fl O Ar option .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl N Ar new_passphrase .Op Fl w Ar provider -.Op Fl x Ar flags .Nm ssh-keygen .Fl p .Op Fl f Ar keyfile @@ -453,7 +453,28 @@ listed in the .Sx MODULI GENERATION section may be specified. .Pp -This option may be specified multiple times. +When generating a key that will be hosted on a FIDO authenticator, this +flag may be used to specify key-specific options. +Two FIDO authenticator options are supported at present: +.Pp +.Cm no-touch-required +indicates that the generated private key should not require touch +events (user presence) when making signatures. +Note that +.Xr sshd 8 +will refuse such signatures by default, unless overridden via +an authorized_keys option. +.Pp +.Cm resident +indicates that the key should be stored on the FIDO authenticator itself. +Resident keys may be supported on FIDO2 tokens and typically require that +a PIN be set on the token prior to generation. +Resident keys may be loaded off the token using +.Xr ssh-add 1 . +.Pp +The +.Fl O +option may be specified multiple times. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -573,18 +594,6 @@ The maximum is 3. Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. -.It Fl x Ar flags -Specifies the authenticator flags to use when enrolling an authenticator-hosted -key. -Flags may be specified by name or directly as a hexadecimal value. -Only one named flag is supported at present: -.Cm no-touch-required , -which indicates that the generated private key should not require touch -events (user presence) when making signatures. -Note that -.Xr sshd 8 -will refuse such signatures by default, unless overridden via -an authorized_keys option. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 696891e0e..3640a3c37 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2932,7 +2932,7 @@ main(int argc, char **argv) int prefer_agent = 0, convert_to = 0, convert_from = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; int do_gen_candidates = 0, do_screen_candidates = 0; - unsigned long long ull, cert_serial = 0; + unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; size_t i, nopts = 0; u_int32_t bits = 0; @@ -2965,10 +2965,10 @@ main(int argc, char **argv) sk_provider = getenv("SSH_SK_PROVIDER"); - /* Remaining characters: dGjJKSTW */ + /* Remaining characters: dGjJKSTWx */ while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" - "a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) { + "a:b:f:g:m:n:r:s:t:w:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -3130,25 +3130,6 @@ main(int argc, char **argv) case 'w': sk_provider = optarg; break; - case 'x': - if (*optarg == '\0') - fatal("Missing security key flags"); - if (strcasecmp(optarg, "no-touch-required") == 0) - sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; - else if (strcasecmp(optarg, "resident") == 0) - sk_flags |= SSH_SK_RESIDENT_KEY; - else { - ull = strtoull(optarg, &ep, 0); - if (*ep != '\0') - fatal("Security key flags \"%s\" is " - "not a number", optarg); - if (ull > 0xff) { - fatal("Invalid security key " - "flags 0x%llx", ull); - } - sk_flags = (uint8_t)ull; - } - break; case 'z': errno = 0; if (*optarg == '+') { @@ -3361,6 +3342,20 @@ main(int argc, char **argv) switch (type) { case KEY_ECDSA_SK: case KEY_ED25519_SK: + for (i = 0; i < nopts; i++) { + if (strcasecmp(opts[i], "no-touch-required") == 0) { + sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; + } else if (strcasecmp(opts[i], "resident") == 0) { + sk_flags |= SSH_SK_RESIDENT_KEY; + } else { + fatal("Option \"%s\" is unsupported for " + "FIDO authenticator enrollment", opts[i]); + } + } + if (!quiet) { + printf("You may need to touch your security key " + "to authorize key generation.\n"); + } passphrase1 = NULL; for (i = 0 ; i < 3; i++) { if (!quiet) { @@ -3375,9 +3370,13 @@ main(int argc, char **argv) break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) exit(1); /* error message already printed */ + if (passphrase1 != NULL) + freezero(passphrase1, strlen(passphrase1)); passphrase1 = read_passphrase("Enter PIN for security " "key: ", RP_ALLOW_STDIN); } + if (passphrase1 != NULL) + freezero(passphrase1, strlen(passphrase1)); if (i > 3) fatal("Too many incorrect PINs"); break; -- cgit v1.2.3 From 3b1382ffd5e71eff78db8cef0f3cada22ff29409 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Mon, 30 Dec 2019 16:10:00 +0000 Subject: upstream: simplify the list for moduli options - no need for -compact; OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280 --- ssh-keygen.1 | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1f4edace5..f0d70adec 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.186 2019/12/30 16:10:00 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -742,29 +742,23 @@ that both ends of a connection share common moduli. A number of options are available for moduli generation and screening via the .Fl O flag: -.Bl -tag -width Ds -compact -.Pp +.Bl -tag -width Ds .It Ic lines Ns = Ns Ar number Exit after screening the specified number of lines while performing DH candidate screening. -.Pp .It Ic start-line Ns = Ns Ar line-number Start screening at the specified line number while performing DH candidate screening. -.Pp .It Ic checkpoint Ns = Ns Ar filename Write the last line processed to the specified file while performing DH candidate screening. This will be used to skip lines in the input file that have already been processed if the job is restarted. -.Pp .It Ic memory Ns = Ns Ar mbytes Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX. -.Pp .It Ic start Ns = Ns Ar hex-value Specify start point (in hex) when generating candidate moduli for DH-GEX. -.Pp .It Ic generator Ns = Ns Ar value Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. .El -- cgit v1.2.3 From 9039971887cccd95b209c479296f772a3a93e8e7 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 2 Jan 2020 22:40:09 +0000 Subject: upstream: ability to download FIDO2 resident keys from a token via "ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6 --- ssh-keygen.1 | 11 ++- ssh-keygen.c | 224 +++++++++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 172 insertions(+), 63 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f0d70adec..569a46b19 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.186 2019/12/30 16:10:00 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.187 2020/01/02 22:40:09 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 30 2019 $ +.Dd $Mdocdate: January 2 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -92,6 +92,9 @@ .Fl H .Op Fl f Ar known_hosts_file .Nm ssh-keygen +.Fl K +.Op Fl w Ar provider +.Nm ssh-keygen .Fl R Ar hostname .Op Fl f Ar known_hosts_file .Nm ssh-keygen @@ -363,6 +366,10 @@ commercial SSH implementations. The default import format is .Dq RFC4716 . .It Fl k +Download resident keys from a FIDO authenticator. +Public and private key files will be written to the current directory for +each downloaded key. +.It Fl k Generate a KRL file. In this mode, .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 3640a3c37..7731339f7 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.381 2020/01/02 22:40:09 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2871,6 +2871,137 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts) #endif /* WITH_OPENSSL */ } +static char * +private_key_passphrase(void) +{ + char *passphrase1, *passphrase2; + + /* Ask for a passphrase (twice). */ + if (identity_passphrase) + passphrase1 = xstrdup(identity_passphrase); + else if (identity_new_passphrase) + passphrase1 = xstrdup(identity_new_passphrase); + else { +passphrase_again: + passphrase1 = + read_passphrase("Enter passphrase (empty for no " + "passphrase): ", RP_ALLOW_STDIN); + passphrase2 = read_passphrase("Enter same passphrase again: ", + RP_ALLOW_STDIN); + if (strcmp(passphrase1, passphrase2) != 0) { + /* + * The passphrases do not match. Clear them and + * retry. + */ + freezero(passphrase1, strlen(passphrase1)); + freezero(passphrase2, strlen(passphrase2)); + printf("Passphrases do not match. Try again.\n"); + goto passphrase_again; + } + /* Clear the other copy of the passphrase. */ + freezero(passphrase2, strlen(passphrase2)); + } + return passphrase1; +} + +static const char * +skip_ssh_url_preamble(const char *s) +{ + if (strncmp(s, "ssh://", 6) == 0) + return s + 6; + else if (strncmp(s, "ssh:", 4) == 0) + return s + 4; + return s; +} + +static int +do_download_sk(const char *skprovider) +{ + struct sshkey **keys; + size_t nkeys, i; + int r, ok = -1; + char *fp, *pin, *pass = NULL, *path, *pubpath; + const char *ext; + + if (skprovider == NULL) + fatal("Cannot download keys without provider"); + + pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); + if ((r = sshsk_load_resident(skprovider, pin, &keys, &nkeys)) != 0) { + freezero(pin, strlen(pin)); + error("Unable to load resident keys: %s", ssh_err(r)); + return -1; + } + if (nkeys == 0) + logit("No keys to download"); + freezero(pin, strlen(pin)); + + for (i = 0; i < nkeys; i++) { + if (keys[i]->type != KEY_ECDSA_SK && + keys[i]->type != KEY_ED25519_SK) { + error("Unsupported key type %s (%d)", + sshkey_type(keys[i]), keys[i]->type); + continue; + } + if ((fp = sshkey_fingerprint(keys[i], + fingerprint_hash, SSH_FP_DEFAULT)) == NULL) + fatal("%s: sshkey_fingerprint failed", __func__); + debug("%s: key %zu: %s %s %s (flags 0x%02x)", __func__, i, + sshkey_type(keys[i]), fp, keys[i]->sk_application, + keys[i]->sk_flags); + ext = skip_ssh_url_preamble(keys[i]->sk_application); + xasprintf(&path, "id_%s_rk%s%s", + keys[i]->type == KEY_ECDSA_SK ? "ecdsa_sk" : "ed25519_sk", + *ext == '\0' ? "" : "_", ext); + + /* If the file already exists, ask the user to confirm. */ + if (!confirm_overwrite(path)) { + free(path); + break; + } + + /* Save the key with the application string as the comment */ + if (pass == NULL) + pass = private_key_passphrase(); + if ((r = sshkey_save_private(keys[i], path, pass, + keys[i]->sk_application, private_key_format, + openssh_format_cipher, rounds)) != 0) { + error("Saving key \"%s\" failed: %s", + path, ssh_err(r)); + free(path); + break; + } + if (!quiet) { + printf("Saved %s key%s%s to %s\n", + sshkey_type(keys[i]), + *ext != '\0' ? " " : "", + *ext != '\0' ? keys[i]->sk_application : "", + path); + } + + /* Save public key too */ + xasprintf(&pubpath, "%s.pub", path); + free(path); + if ((r = sshkey_save_public(keys[i], pubpath, + keys[i]->sk_application)) != 0) { + free(pubpath); + error("Saving public key \"%s\" failed: %s", + pubpath, ssh_err(r)); + break; + } + free(pubpath); + } + + if (i >= nkeys) + ok = 0; /* success */ + if (pass != NULL) + freezero(pass, strlen(pass)); + for (i = 0; i < nkeys; i++) + sshkey_free(keys[i]); + free(keys); + return ok ? 0 : -1; +} + static void usage(void) { @@ -2890,6 +3021,8 @@ usage(void) fprintf(stderr, " ssh-keygen -D pkcs11\n"); #endif + fprintf(stderr, + " ssh-keygen -K path [-w sk_provider]\n"); fprintf(stderr, " ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" " ssh-keygen -H [-f known_hosts_file]\n" @@ -2920,24 +3053,23 @@ usage(void) int main(int argc, char **argv) { - char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; + char dotsshdir[PATH_MAX], comment[1024], *passphrase; char *rr_hostname = NULL, *ep, *fp, *ra; struct sshkey *private, *public; struct passwd *pw; struct stat st; - int r, opt, type, fd; + int r, opt, type; int change_passphrase = 0, change_comment = 0, show_cert = 0; int find_host = 0, delete_host = 0, hash_hosts = 0; int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; int prefer_agent = 0, convert_to = 0, convert_from = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; - int do_gen_candidates = 0, do_screen_candidates = 0; + int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; size_t i, nopts = 0; u_int32_t bits = 0; uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; - FILE *f; const char *errstr; int log_level = SYSLOG_LEVEL_INFO; char *sign_op = NULL; @@ -2965,8 +3097,8 @@ main(int argc, char **argv) sk_provider = getenv("SSH_SK_PROVIDER"); - /* Remaining characters: dGjJKSTWx */ - while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" + /* Remaining characters: dGjJSTWx */ + while ((opt = getopt(argc, argv, "ABHKLQUXceghiklopquvy" "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" "a:b:f:g:m:n:r:s:t:w:z:")) != -1) { switch (opt) { @@ -3046,6 +3178,9 @@ main(int argc, char **argv) case 'g': print_generic = 1; break; + case 'K': + download_sk = 1; + break; case 'P': identity_passphrase = optarg; break; @@ -3261,6 +3396,8 @@ main(int argc, char **argv) } if (pkcs11provider != NULL) do_download(pw); + if (download_sk) + return do_download_sk(sk_provider); if (print_fingerprint || print_bubblebabble) do_fingerprint(pw); if (change_passphrase) @@ -3356,7 +3493,7 @@ main(int argc, char **argv) printf("You may need to touch your security key " "to authorize key generation.\n"); } - passphrase1 = NULL; + passphrase = NULL; for (i = 0 ; i < 3; i++) { if (!quiet) { printf("You may need to touch your security " @@ -3365,21 +3502,21 @@ main(int argc, char **argv) fflush(stdout); r = sshsk_enroll(type, sk_provider, cert_key_id == NULL ? "ssh:" : cert_key_id, - sk_flags, passphrase1, NULL, &private, NULL); + sk_flags, passphrase, NULL, &private, NULL); if (r == 0) break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) exit(1); /* error message already printed */ - if (passphrase1 != NULL) - freezero(passphrase1, strlen(passphrase1)); - passphrase1 = read_passphrase("Enter PIN for security " + if (passphrase != NULL) + freezero(passphrase, strlen(passphrase)); + passphrase = read_passphrase("Enter PIN for security " "key: ", RP_ALLOW_STDIN); } - if (passphrase1 != NULL) - freezero(passphrase1, strlen(passphrase1)); + if (passphrase != NULL) + freezero(passphrase, strlen(passphrase)); if (i > 3) fatal("Too many incorrect PINs"); - break; + break; default: if ((r = sshkey_generate(type, bits, &private)) != 0) fatal("sshkey_generate failed"); @@ -3409,35 +3546,9 @@ main(int argc, char **argv) /* If the file already exists, ask the user to confirm. */ if (!confirm_overwrite(identity_file)) exit(1); - /* Ask for a passphrase (twice). */ - if (identity_passphrase) - passphrase1 = xstrdup(identity_passphrase); - else if (identity_new_passphrase) - passphrase1 = xstrdup(identity_new_passphrase); - else { -passphrase_again: - passphrase1 = - read_passphrase("Enter passphrase (empty for no " - "passphrase): ", RP_ALLOW_STDIN); - passphrase2 = read_passphrase("Enter same passphrase again: ", - RP_ALLOW_STDIN); - if (strcmp(passphrase1, passphrase2) != 0) { - /* - * The passphrases do not match. Clear them and - * retry. - */ - explicit_bzero(passphrase1, strlen(passphrase1)); - explicit_bzero(passphrase2, strlen(passphrase2)); - free(passphrase1); - free(passphrase2); - printf("Passphrases do not match. Try again.\n"); - goto passphrase_again; - } - /* Clear the other copy of the passphrase. */ - explicit_bzero(passphrase2, strlen(passphrase2)); - free(passphrase2); - } + /* Determine the passphrase for the private key */ + passphrase = private_key_passphrase(); if (identity_comment) { strlcpy(comment, identity_comment, sizeof(comment)); } else { @@ -3446,35 +3557,26 @@ passphrase_again: } /* Save the key with the given passphrase and comment. */ - if ((r = sshkey_save_private(private, identity_file, passphrase1, + if ((r = sshkey_save_private(private, identity_file, passphrase, comment, private_key_format, openssh_format_cipher, rounds)) != 0) { error("Saving key \"%s\" failed: %s", identity_file, ssh_err(r)); - explicit_bzero(passphrase1, strlen(passphrase1)); - free(passphrase1); + freezero(passphrase, strlen(passphrase)); exit(1); } - /* Clear the passphrase. */ - explicit_bzero(passphrase1, strlen(passphrase1)); - free(passphrase1); - - /* Clear the private key and the random number generator. */ + freezero(passphrase, strlen(passphrase)); sshkey_free(private); - if (!quiet) - printf("Your identification has been saved in %s.\n", identity_file); + if (!quiet) { + printf("Your identification has been saved in %s.\n", + identity_file); + } strlcat(identity_file, ".pub", sizeof(identity_file)); - if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) + if ((r = sshkey_save_public(public, identity_file, comment)) != 0) { fatal("Unable to save public key to %s: %s", identity_file, strerror(errno)); - if ((f = fdopen(fd, "w")) == NULL) - fatal("fdopen %s failed: %s", identity_file, strerror(errno)); - if ((r = sshkey_write(public, f)) != 0) - error("write key failed: %s", ssh_err(r)); - fprintf(f, " %s\n", comment); - if (ferror(f) || fclose(f) != 0) - fatal("write public failed: %s", strerror(errno)); + } if (!quiet) { fp = sshkey_fingerprint(public, fingerprint_hash, -- cgit v1.2.3 From c593cc5e826c9f4ec506e22b629d37cabfaacff9 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Fri, 3 Jan 2020 07:33:33 +0000 Subject: upstream: the download resident keys option is -K (upper) not -k (lower); ok djm OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091 --- ssh-keygen.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 569a46b19..7b83a2240 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.187 2020/01/02 22:40:09 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.188 2020/01/03 07:33:33 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 2 2020 $ +.Dd $Mdocdate: January 3 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -365,7 +365,7 @@ This option allows importing keys from other software, including several commercial SSH implementations. The default import format is .Dq RFC4716 . -.It Fl k +.It Fl K Download resident keys from a FIDO authenticator. Public and private key files will be written to the current directory for each downloaded key. -- cgit v1.2.3 From c312ca077cd2a6c15545cd6b4d34ee2f69289174 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 6 Jan 2020 02:00:46 +0000 Subject: upstream: Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc --- PROTOCOL.u2f | 47 ++++++++++++-- sk-api.h | 23 ++++--- sk-usbhid.c | 194 ++++++++++++++++++++++++++++++++++++++++++++------------ ssh-add.c | 5 +- ssh-keygen.1 | 23 +++++-- ssh-keygen.c | 39 ++++++++---- ssh-sk-client.c | 14 ++-- ssh-sk-helper.c | 45 +++++++------ ssh-sk.c | 121 ++++++++++++++++++++++++++++++----- ssh-sk.h | 14 ++-- 10 files changed, 404 insertions(+), 121 deletions(-) (limited to 'ssh-keygen.1') diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 5f44c3acc..fd0cd0de0 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -233,7 +233,7 @@ support for the common case of USB HID security keys internally. The middleware library need only expose a handful of functions: - #define SSH_SK_VERSION_MAJOR 0x00030000 /* API version */ + #define SSH_SK_VERSION_MAJOR 0x00040000 /* API version */ #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 /* Flags */ @@ -245,6 +245,11 @@ The middleware library need only expose a handful of functions: #define SSH_SK_ECDSA 0x00 #define SSH_SK_ED25519 0x01 + /* Error codes */ + #define SSH_SK_ERR_GENERAL -1 + #define SSH_SK_ERR_UNSUPPORTED -2 + #define SSH_SK_ERR_PIN_REQUIRED -3 + struct sk_enroll_response { uint8_t *public_key; size_t public_key_len; @@ -266,35 +271,63 @@ The middleware library need only expose a handful of functions: }; struct sk_resident_key { - uint8_t alg; + uint32_t alg; size_t slot; char *application; struct sk_enroll_response key; }; + struct sk_option { + char *name; + char *value; + uint8_t important; + }; + /* Return the version of the middleware API */ uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ - int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, + int sk_enroll(uint32_t alg, + const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, const char *pin, + struct sk_option **options, struct sk_enroll_response **enroll_response); /* Sign a challenge */ - int sk_sign(int alg, const uint8_t *message, size_t message_len, + int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, + uint8_t flags, const char *pin, struct sk_option **options, struct sk_sign_response **sign_response); /* Enumerate all resident keys */ - int sk_load_resident_keys(const char *pin, + int sk_load_resident_keys(const char *pin, struct sk_option **options, struct sk_resident_key ***rks, size_t *nrks); The SSH_SK_VERSION_MAJOR should be incremented for each incompatible API change. -In OpenSSH, these will be invoked by using a similar mechanism to +The options may be used to pass miscellaneous options to the middleware +as a NULL-terminated array of pointers to struct sk_option. The middleware +may ignore unsupported or unknown options unless the "important" flag is +set, in which case it should return failure if an unsupported option is +requested. + +At present the following options names are supported: + + "device" + + Specifies a specific FIDO device on which to perform the + operation. The value in this field is interpreted by the + middleware but it would be typical to specify a path to + a /dev node for the device in question. + + "user" + + Specifies the FIDO2 username used when enrolling a key, + overriding OpenSSH's default of using an all-zero username. + +In OpenSSH, the middleware will be invoked by using a similar mechanism to ssh-pkcs11-helper to provide address-space containment of the middleware from ssh-agent. diff --git a/sk-api.h b/sk-api.h index dc786d556..93d6a1229 100644 --- a/sk-api.h +++ b/sk-api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sk-api.h,v 1.6 2019/12/30 09:24:45 djm Exp $ */ +/* $OpenBSD: sk-api.h,v 1.7 2020/01/06 02:00:46 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -58,30 +58,37 @@ struct sk_sign_response { }; struct sk_resident_key { - uint8_t alg; + uint32_t alg; size_t slot; char *application; struct sk_enroll_response key; }; -#define SSH_SK_VERSION_MAJOR 0x00030000 /* current API version */ +struct sk_option { + char *name; + char *value; + uint8_t required; +}; + +#define SSH_SK_VERSION_MAJOR 0x00040000 /* current API version */ #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 /* Return the version of the middleware API */ uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ -int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, +int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, const char *pin, - struct sk_enroll_response **enroll_response); + struct sk_option **options, struct sk_enroll_response **enroll_response); /* Sign a challenge */ -int sk_sign(int alg, const uint8_t *message, size_t message_len, +int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, struct sk_sign_response **sign_response); + uint8_t flags, const char *pin, struct sk_option **options, + struct sk_sign_response **sign_response); /* Enumerate all resident keys */ -int sk_load_resident_keys(const char *pin, +int sk_load_resident_keys(const char *pin, struct sk_option **options, struct sk_resident_key ***rks, size_t *nrks); #endif /* _SK_API_H */ diff --git a/sk-usbhid.c b/sk-usbhid.c index 22a4c5df5..2e1573c48 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -54,7 +54,7 @@ } while (0) #endif -#define SK_VERSION_MAJOR 0x00030000 /* current API version */ +#define SK_VERSION_MAJOR 0x00040000 /* current API version */ /* Flags */ #define SK_USER_PRESENCE_REQD 0x01 @@ -91,12 +91,18 @@ struct sk_sign_response { }; struct sk_resident_key { - uint8_t alg; + uint32_t alg; size_t slot; char *application; struct sk_enroll_response key; }; +struct sk_option { + char *name; + char *value; + uint8_t required; +}; + /* If building as part of OpenSSH, then rename exported functions */ #if !defined(SK_STANDALONE) #define sk_api_version ssh_sk_api_version @@ -109,17 +115,18 @@ struct sk_resident_key { uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ -int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, +int sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, const char *pin, - struct sk_enroll_response **enroll_response); + struct sk_option **options, struct sk_enroll_response **enroll_response); /* Sign a challenge */ -int sk_sign(int alg, const uint8_t *message, size_t message_len, +int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, struct sk_sign_response **sign_response); + uint8_t flags, const char *pin, struct sk_option **options, + struct sk_sign_response **sign_response); /* Load resident keys */ -int sk_load_resident_keys(const char *pin, +int sk_load_resident_keys(const char *pin, struct sk_option **options, struct sk_resident_key ***rks, size_t *nrks); static void skdebug(const char *func, const char *fmt, ...) @@ -235,15 +242,27 @@ try_device(fido_dev_t *dev, const uint8_t *message, size_t message_len, /* Iterate over configured devices looking for a specific key handle */ static fido_dev_t * -find_device(const uint8_t *message, size_t message_len, const char *application, - const uint8_t *key_handle, size_t key_handle_len) +find_device(const char *path, const uint8_t *message, size_t message_len, + const char *application, const uint8_t *key_handle, size_t key_handle_len) { fido_dev_info_t *devlist = NULL; fido_dev_t *dev = NULL; size_t devlist_len = 0, i; - const char *path; int r; + if (path != NULL) { + if ((dev = fido_dev_new()) == NULL) { + skdebug(__func__, "fido_dev_new failed"); + return NULL; + } + if ((r = fido_dev_open(dev, path)) != FIDO_OK) { + skdebug(__func__, "fido_dev_open failed"); + fido_dev_free(&dev); + return NULL; + } + return dev; + } + if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { skdebug(__func__, "fido_dev_info_new failed"); goto out; @@ -402,7 +421,7 @@ pack_public_key_ed25519(const fido_cred_t *cred, } static int -pack_public_key(int alg, const fido_cred_t *cred, +pack_public_key(uint32_t alg, const fido_cred_t *cred, struct sk_enroll_response *response) { switch(alg) { @@ -431,10 +450,45 @@ fidoerr_to_skerr(int fidoerr) } } +static int +check_enroll_options(struct sk_option **options, char **devicep, + uint8_t *user_id, size_t user_id_len) +{ + size_t i; + + if (options == NULL) + return 0; + for (i = 0; options[i] != NULL; i++) { + if (strcmp(options[i]->name, "device") == 0) { + if ((*devicep = strdup(options[i]->value)) == NULL) { + skdebug(__func__, "strdup device failed"); + return -1; + } + skdebug(__func__, "requested device %s", *devicep); + } if (strcmp(options[i]->name, "user") == 0) { + if (strlcpy(user_id, options[i]->value, user_id_len) >= + user_id_len) { + skdebug(__func__, "user too long"); + return -1; + } + skdebug(__func__, "requested user %s", + (char *)user_id); + } else { + skdebug(__func__, "requested unsupported option %s", + options[i]->name); + if (options[i]->required) { + skdebug(__func__, "unknown required option"); + return -1; + } + } + } + return 0; +} + int -sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, +sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, const char *pin, - struct sk_enroll_response **enroll_response) + struct sk_option **options, struct sk_enroll_response **enroll_response) { fido_cred_t *cred = NULL; fido_dev_t *dev = NULL; @@ -454,6 +508,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, skdebug(__func__, "enroll_response == NULL"); goto out; } + memset(user_id, 0, sizeof(user_id)); + if (check_enroll_options(options, &device, + user_id, sizeof(user_id)) != 0) + goto out; /* error already logged */ + *enroll_response = NULL; switch(alg) { #ifdef WITH_OPENSSL @@ -468,7 +527,7 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, skdebug(__func__, "unsupported key type %d", alg); goto out; } - if ((device = pick_first_device()) == NULL) { + if (device == NULL && (device = pick_first_device()) == NULL) { skdebug(__func__, "pick_first_device failed"); goto out; } @@ -477,7 +536,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, skdebug(__func__, "fido_cred_new failed"); goto out; } - memset(user_id, 0, sizeof(user_id)); if ((r = fido_cred_set_type(cred, cose_alg)) != FIDO_OK) { skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r)); goto out; @@ -654,7 +712,8 @@ pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) } static int -pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) +pack_sig(uint32_t alg, fido_assert_t *assert, + struct sk_sign_response *response) { switch(alg) { #ifdef WITH_OPENSSL @@ -668,13 +727,42 @@ pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) } } +/* Checks sk_options for sk_sign() and sk_load_resident_keys() */ +static int +check_sign_load_resident_options(struct sk_option **options, char **devicep) +{ + size_t i; + + if (options == NULL) + return 0; + for (i = 0; options[i] != NULL; i++) { + if (strcmp(options[i]->name, "device") == 0) { + if ((*devicep = strdup(options[i]->value)) == NULL) { + skdebug(__func__, "strdup device failed"); + return -1; + } + skdebug(__func__, "requested device %s", *devicep); + } else { + skdebug(__func__, "requested unsupported option %s", + options[i]->name); + if (options[i]->required) { + skdebug(__func__, "unknown required option"); + return -1; + } + } + } + return 0; +} + int -sk_sign(int alg, const uint8_t *message, size_t message_len, +sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, struct sk_sign_response **sign_response) + uint8_t flags, const char *pin, struct sk_option **options, + struct sk_sign_response **sign_response) { fido_assert_t *assert = NULL; + char *device = NULL; fido_dev_t *dev = NULL; struct sk_sign_response *response = NULL; int ret = SSH_SK_ERR_GENERAL; @@ -689,8 +777,10 @@ sk_sign(int alg, const uint8_t *message, size_t message_len, goto out; } *sign_response = NULL; - if ((dev = find_device(message, message_len, application, key_handle, - key_handle_len)) == NULL) { + if (check_sign_load_resident_options(options, &device) != 0) + goto out; /* error already logged */ + if ((dev = find_device(device, message, message_len, + application, key_handle, key_handle_len)) == NULL) { skdebug(__func__, "couldn't find device for key handle"); goto out; } @@ -737,6 +827,7 @@ sk_sign(int alg, const uint8_t *message, size_t message_len, response = NULL; ret = 0; out: + free(device); if (response != NULL) { free(response->sig_r); free(response->sig_s); @@ -789,6 +880,7 @@ read_rks(const char *devpath, const char *pin, } skdebug(__func__, "get metadata for %s failed: %s", devpath, fido_strerr(r)); + ret = fidoerr_to_skerr(r); goto out; } skdebug(__func__, "existing %llu, remaining %llu", @@ -904,7 +996,7 @@ read_rks(const char *devpath, const char *pin, } int -sk_load_resident_keys(const char *pin, +sk_load_resident_keys(const char *pin, struct sk_option **options, struct sk_resident_key ***rksp, size_t *nrksp) { int ret = SSH_SK_ERR_GENERAL, r = -1; @@ -912,39 +1004,57 @@ sk_load_resident_keys(const char *pin, size_t i, ndev = 0, nrks = 0; const fido_dev_info_t *di; struct sk_resident_key **rks = NULL; + char *device = NULL; *rksp = NULL; *nrksp = 0; - if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { - skdebug(__func__, "fido_dev_info_new failed"); - goto out; - } - if ((r = fido_dev_info_manifest(devlist, - MAX_FIDO_DEVICES, &ndev)) != FIDO_OK) { - skdebug(__func__, "fido_dev_info_manifest failed: %s", - fido_strerr(r)); - goto out; - } - for (i = 0; i < ndev; i++) { - if ((di = fido_dev_info_ptr(devlist, i)) == NULL) { - skdebug(__func__, "no dev info at %zu", i); - continue; - } - skdebug(__func__, "trying %s", fido_dev_info_path(di)); - if ((r = read_rks(fido_dev_info_path(di), pin, - &rks, &nrks)) != 0) { + if (check_sign_load_resident_options(options, &device) != 0) + goto out; /* error already logged */ + if (device != NULL) { + skdebug(__func__, "trying %s", device); + if ((r = read_rks(device, pin, &rks, &nrks)) != 0) { skdebug(__func__, "read_rks failed for %s", fido_dev_info_path(di)); - continue; + ret = r; + goto out; + } + } else { + /* Try all devices */ + if ((devlist = fido_dev_info_new(MAX_FIDO_DEVICES)) == NULL) { + skdebug(__func__, "fido_dev_info_new failed"); + goto out; + } + if ((r = fido_dev_info_manifest(devlist, + MAX_FIDO_DEVICES, &ndev)) != FIDO_OK) { + skdebug(__func__, "fido_dev_info_manifest failed: %s", + fido_strerr(r)); + goto out; + } + for (i = 0; i < ndev; i++) { + if ((di = fido_dev_info_ptr(devlist, i)) == NULL) { + skdebug(__func__, "no dev info at %zu", i); + continue; + } + skdebug(__func__, "trying %s", fido_dev_info_path(di)); + if ((r = read_rks(fido_dev_info_path(di), pin, + &rks, &nrks)) != 0) { + skdebug(__func__, "read_rks failed for %s", + fido_dev_info_path(di)); + /* remember last error */ + ret = r; + continue; + } } } - /* success */ - ret = 0; + /* success, unless we have no keys but a specific error */ + if (nrks > 0 || ret == SSH_SK_ERR_GENERAL) + ret = 0; *rksp = rks; *nrksp = nrks; rks = NULL; nrks = 0; out: + free(device); for (i = 0; i < nrks; i++) { free(rks[i]->application); freezero(rks[i]->key.public_key, rks[i]->key.public_key_len); diff --git a/ssh-add.c b/ssh-add.c index c25b57cc1..fbb2578dd 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.148 2019/12/30 09:22:49 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.149 2020/01/06 02:00:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -549,7 +549,8 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag) char *fp; pass = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); - if ((r = sshsk_load_resident(skprovider, pass, &keys, &nkeys)) != 0) { + if ((r = sshsk_load_resident(skprovider, NULL, pass, + &keys, &nkeys)) != 0) { error("Unable to load resident keys: %s", ssh_err(r)); return r; } diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7b83a2240..92c516588 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.188 2020/01/03 07:33:33 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 3 2020 $ +.Dd $Mdocdate: January 6 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -462,8 +462,18 @@ section may be specified. .Pp When generating a key that will be hosted on a FIDO authenticator, this flag may be used to specify key-specific options. -Two FIDO authenticator options are supported at present: -.Pp +The FIDO authenticator options are supported at present are: +.Pp +.Cm application +overrides the default FIDO application/origin string of +.Dq ssh: . +This option may be useful when generating host or domain-specific resident +keys. +.Cm device +explicitly specify a device to generate the key on, rather than accepting +the authenticator middleware's automatic selection. +.Xr fido 4 +device to use, rather than letting the token middleware select one. .Cm no-touch-required indicates that the generated private key should not require touch events (user presence) when making signatures. @@ -478,6 +488,11 @@ Resident keys may be supported on FIDO2 tokens and typically require that a PIN be set on the token prior to generation. Resident keys may be loaded off the token using .Xr ssh-add 1 . +.Cm user +allows specification of a username to be associated with a resident key, +overriding the empty default username. +Specifying a username may be useful when generating multiple resident keys +for the same application name. .Pp The .Fl O diff --git a/ssh-keygen.c b/ssh-keygen.c index 7731339f7..d0ffa5cd7 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.381 2020/01/02 22:40:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.382 2020/01/06 02:00:46 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2915,7 +2915,7 @@ skip_ssh_url_preamble(const char *s) } static int -do_download_sk(const char *skprovider) +do_download_sk(const char *skprovider, const char *device) { struct sshkey **keys; size_t nkeys, i; @@ -2927,7 +2927,8 @@ do_download_sk(const char *skprovider) fatal("Cannot download keys without provider"); pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); - if ((r = sshsk_load_resident(skprovider, pin, &keys, &nkeys)) != 0) { + if ((r = sshsk_load_resident(skprovider, device, pin, + &keys, &nkeys)) != 0) { freezero(pin, strlen(pin)); error("Unable to load resident keys: %s", ssh_err(r)); return -1; @@ -3067,6 +3068,7 @@ main(int argc, char **argv) int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; + char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; size_t i, nopts = 0; u_int32_t bits = 0; uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; @@ -3396,8 +3398,17 @@ main(int argc, char **argv) } if (pkcs11provider != NULL) do_download(pw); - if (download_sk) - return do_download_sk(sk_provider); + if (download_sk) { + for (i = 0; i < nopts; i++) { + if (strncasecmp(opts[i], "device=", 7) == 0) { + sk_device = xstrdup(opts[i] + 7); + } else { + fatal("Option \"%s\" is unsupported for " + "FIDO authenticator download", opts[i]); + } + } + return do_download_sk(sk_provider, sk_device); + } if (print_fingerprint || print_bubblebabble) do_fingerprint(pw); if (change_passphrase) @@ -3484,6 +3495,13 @@ main(int argc, char **argv) sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; } else if (strcasecmp(opts[i], "resident") == 0) { sk_flags |= SSH_SK_RESIDENT_KEY; + } else if (strncasecmp(opts[i], "device=", 7) == 0) { + sk_device = xstrdup(opts[i] + 7); + } else if (strncasecmp(opts[i], "user=", 5) == 0) { + sk_user = xstrdup(opts[i] + 5); + } else if (strncasecmp(opts[i], + "application=", 12) == 0) { + sk_application = xstrdup(opts[i] + 12); } else { fatal("Option \"%s\" is unsupported for " "FIDO authenticator enrollment", opts[i]); @@ -3495,14 +3513,11 @@ main(int argc, char **argv) } passphrase = NULL; for (i = 0 ; i < 3; i++) { - if (!quiet) { - printf("You may need to touch your security " - "key to authorize key generation.\n"); - } fflush(stdout); - r = sshsk_enroll(type, sk_provider, - cert_key_id == NULL ? "ssh:" : cert_key_id, - sk_flags, passphrase, NULL, &private, NULL); + r = sshsk_enroll(type, sk_provider, sk_device, + sk_application == NULL ? "ssh:" : sk_application, + sk_user, sk_flags, passphrase, NULL, + &private, NULL); if (r == 0) break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) diff --git a/ssh-sk-client.c b/ssh-sk-client.c index 0033a6655..d3d37f792 100644 --- a/ssh-sk-client.c +++ b/ssh-sk-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-client.c,v 1.3 2019/12/30 09:23:28 djm Exp $ */ +/* $OpenBSD: ssh-sk-client.c,v 1.4 2020/01/06 02:00:46 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -282,8 +282,9 @@ sshsk_sign(const char *provider, struct sshkey *key, } int -sshsk_enroll(int type, const char *provider_path, const char *application, - uint8_t flags, const char *pin, struct sshbuf *challenge_buf, +sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, struct sshkey **keyp, struct sshbuf *attest) { int oerrno, r = SSH_ERR_INTERNAL_ERROR; @@ -311,7 +312,9 @@ sshsk_enroll(int type, const char *provider_path, const char *application, if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_ENROLL)) != 0 || (r = sshbuf_put_u32(req, (u_int)type)) != 0 || (r = sshbuf_put_cstring(req, provider_path)) != 0 || + (r = sshbuf_put_cstring(req, device)) != 0 || (r = sshbuf_put_cstring(req, application)) != 0 || + (r = sshbuf_put_cstring(req, userid)) != 0 || (r = sshbuf_put_u8(req, flags)) != 0 || (r = sshbuf_put_cstring(req, pin)) != 0 || (r = sshbuf_put_stringb(req, challenge_buf)) != 0) { @@ -358,8 +361,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application, } int -sshsk_load_resident(const char *provider_path, const char *pin, - struct sshkey ***keysp, size_t *nkeysp) +sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp) { int oerrno, r = SSH_ERR_INTERNAL_ERROR; struct sshbuf *kbuf = NULL, *req = NULL, *resp = NULL; @@ -378,6 +381,7 @@ sshsk_load_resident(const char *provider_path, const char *pin, if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_LOAD_RESIDENT)) != 0 || (r = sshbuf_put_cstring(req, provider_path)) != 0 || + (r = sshbuf_put_cstring(req, device)) != 0 || (r = sshbuf_put_cstring(req, pin)) != 0) { error("%s: compose: %s", __func__, ssh_err(r)); goto out; diff --git a/ssh-sk-helper.c b/ssh-sk-helper.c index 590ff8501..85a461d53 100644 --- a/ssh-sk-helper.c +++ b/ssh-sk-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-helper.c,v 1.6 2019/12/30 09:23:28 djm Exp $ */ +/* $OpenBSD: ssh-sk-helper.c,v 1.7 2020/01/06 02:00:46 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -77,6 +77,17 @@ reply_error(int r, char *fmt, ...) return resp; } +/* If the specified string is zero length, then free it and replace with NULL */ +static void +null_empty(char **s) +{ + if (s == NULL || *s == NULL || **s != '\0') + return; + + free(*s); + *s = NULL; +} + static struct sshbuf * process_sign(struct sshbuf *req) { @@ -108,10 +119,7 @@ process_sign(struct sshbuf *req) "msg len %zu, compat 0x%lx", __progname, sshkey_type(key), provider, msglen, (u_long)compat); - if (*pin == 0) { - free(pin); - pin = NULL; - } + null_empty(&pin); if ((r = sshsk_sign(provider, key, &sig, &siglen, message, msglen, compat, pin)) != 0) { @@ -138,7 +146,7 @@ process_enroll(struct sshbuf *req) { int r; u_int type; - char *provider, *application, *pin; + char *provider, *application, *pin, *device, *userid; uint8_t flags; struct sshbuf *challenge, *attest, *kbuf, *resp; struct sshkey *key; @@ -149,7 +157,9 @@ process_enroll(struct sshbuf *req) if ((r = sshbuf_get_u32(req, &type)) != 0 || (r = sshbuf_get_cstring(req, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(req, &device, NULL)) != 0 || (r = sshbuf_get_cstring(req, &application, NULL)) != 0 || + (r = sshbuf_get_cstring(req, &userid, NULL)) != 0 || (r = sshbuf_get_u8(req, &flags)) != 0 || (r = sshbuf_get_cstring(req, &pin, NULL)) != 0 || (r = sshbuf_froms(req, &challenge)) != 0) @@ -163,13 +173,12 @@ process_enroll(struct sshbuf *req) sshbuf_free(challenge); challenge = NULL; } - if (*pin == 0) { - free(pin); - pin = NULL; - } + null_empty(&device); + null_empty(&userid); + null_empty(&pin); - if ((r = sshsk_enroll((int)type, provider, application, flags, pin, - challenge, &key, attest)) != 0) { + if ((r = sshsk_enroll((int)type, provider, device, application, userid, + flags, pin, challenge, &key, attest)) != 0) { resp = reply_error(r, "Enrollment failed: %s", ssh_err(r)); goto out; } @@ -200,7 +209,7 @@ static struct sshbuf * process_load_resident(struct sshbuf *req) { int r; - char *provider, *pin; + char *provider, *pin, *device; struct sshbuf *kbuf, *resp; struct sshkey **keys = NULL; size_t nkeys = 0, i; @@ -209,17 +218,17 @@ process_load_resident(struct sshbuf *req) fatal("%s: sshbuf_new failed", __progname); if ((r = sshbuf_get_cstring(req, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(req, &device, NULL)) != 0 || (r = sshbuf_get_cstring(req, &pin, NULL)) != 0) fatal("%s: buffer error: %s", __progname, ssh_err(r)); if (sshbuf_len(req) != 0) fatal("%s: trailing data in request", __progname); - if (*pin == 0) { - free(pin); - pin = NULL; - } + null_empty(&device); + null_empty(&pin); - if ((r = sshsk_load_resident(provider, pin, &keys, &nkeys)) != 0) { + if ((r = sshsk_load_resident(provider, device, pin, + &keys, &nkeys)) != 0) { resp = reply_error(r, " sshsk_load_resident failed: %s", ssh_err(r)); goto out; diff --git a/ssh-sk.c b/ssh-sk.c index b1d0d6c58..0ef52e299 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.23 2019/12/30 09:24:45 djm Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.24 2020/01/06 02:00:47 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -53,29 +53,32 @@ struct sshsk_provider { /* Enroll a U2F key (private key generation) */ int (*sk_enroll)(int alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, - const char *pin, struct sk_enroll_response **enroll_response); + const char *pin, struct sk_option **opts, + struct sk_enroll_response **enroll_response); /* Sign a challenge */ int (*sk_sign)(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, + uint8_t flags, const char *pin, struct sk_option **opts, struct sk_sign_response **sign_response); /* Enumerate resident keys */ - int (*sk_load_resident_keys)(const char *pin, + int (*sk_load_resident_keys)(const char *pin, struct sk_option **opts, struct sk_resident_key ***rks, size_t *nrks); }; /* Built-in version */ int ssh_sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, - const char *pin, struct sk_enroll_response **enroll_response); + const char *pin, struct sk_option **opts, + struct sk_enroll_response **enroll_response); int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, - uint8_t flags, const char *pin, struct sk_sign_response **sign_response); -int ssh_sk_load_resident_keys(const char *pin, + uint8_t flags, const char *pin, struct sk_option **opts, + struct sk_sign_response **sign_response); +int ssh_sk_load_resident_keys(const char *pin, struct sk_option **opts, struct sk_resident_key ***rks, size_t *nrks); static void @@ -339,9 +342,80 @@ skerr_to_ssherr(int skerr) } } +static void +sshsk_free_options(struct sk_option **opts) +{ + size_t i; + + if (opts == NULL) + return; + for (i = 0; opts[i] != NULL; i++) { + free(opts[i]->name); + free(opts[i]->value); + free(opts[i]); + } + free(opts); +} + +static int +sshsk_add_option(struct sk_option ***optsp, size_t *noptsp, + const char *name, const char *value, uint8_t required) +{ + struct sk_option **opts = *optsp; + size_t nopts = *noptsp; + + if ((opts = recallocarray(opts, nopts, nopts + 2, /* extra for NULL */ + sizeof(*opts))) == NULL) { + error("%s: array alloc failed", __func__); + return SSH_ERR_ALLOC_FAIL; + } + *optsp = opts; + *noptsp = nopts + 1; + if ((opts[nopts] = calloc(1, sizeof(**opts))) == NULL) { + error("%s: alloc failed", __func__); + return SSH_ERR_ALLOC_FAIL; + } + if ((opts[nopts]->name = strdup(name)) == NULL || + (opts[nopts]->value = strdup(value)) == NULL) { + error("%s: alloc failed", __func__); + return SSH_ERR_ALLOC_FAIL; + } + opts[nopts]->required = required; + return 0; +} + +static int +make_options(const char *device, const char *user_id, + struct sk_option ***optsp) +{ + struct sk_option **opts = NULL; + size_t nopts = 0; + int r, ret = SSH_ERR_INTERNAL_ERROR; + + if (device != NULL && + (r = sshsk_add_option(&opts, &nopts, "device", device, 0)) != 0) { + ret = r; + goto out; + } + if (user_id != NULL && + (r = sshsk_add_option(&opts, &nopts, "user", user_id, 0)) != 0) { + ret = r; + goto out; + } + /* success */ + *optsp = opts; + opts = NULL; + nopts = 0; + ret = 0; + out: + sshsk_free_options(opts); + return ret; +} + int -sshsk_enroll(int type, const char *provider_path, const char *application, - uint8_t flags, const char *pin, struct sshbuf *challenge_buf, +sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, struct sshkey **keyp, struct sshbuf *attest) { struct sshsk_provider *skp = NULL; @@ -350,17 +424,23 @@ sshsk_enroll(int type, const char *provider_path, const char *application, const u_char *challenge; size_t challenge_len; struct sk_enroll_response *resp = NULL; + struct sk_option **opts = NULL; int r = SSH_ERR_INTERNAL_ERROR; int alg; - debug("%s: provider \"%s\", application \"%s\", flags 0x%02x, " - "challenge len %zu%s", __func__, provider_path, application, - flags, challenge_buf == NULL ? 0 : sshbuf_len(challenge_buf), + debug("%s: provider \"%s\", device \"%s\", application \"%s\", " + "userid \"%s\", flags 0x%02x, challenge len %zu%s", __func__, + provider_path, device, application, userid, flags, + challenge_buf == NULL ? 0 : sshbuf_len(challenge_buf), (pin != NULL && *pin != '\0') ? " with-pin" : ""); *keyp = NULL; if (attest) sshbuf_reset(attest); + + if ((r = make_options(device, userid, &opts)) != 0) + goto out; + switch (type) { #ifdef WITH_OPENSSL case KEY_ECDSA_SK: @@ -407,7 +487,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application, /* XXX validate flags? */ /* enroll key */ if ((r = skp->sk_enroll(alg, challenge, challenge_len, application, - flags, pin, &resp)) != 0) { + flags, pin, opts, &resp)) != 0) { error("Security key provider \"%s\" returned failure %d", provider_path, r); r = skerr_to_ssherr(r); @@ -437,6 +517,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application, key = NULL; /* transferred */ r = 0; out: + sshsk_free_options(opts); sshsk_free(skp); sshkey_free(key); sshsk_free_enroll_response(resp); @@ -528,6 +609,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, struct sk_sign_response *resp = NULL; struct sshbuf *inner_sig = NULL, *sig = NULL; uint8_t message[32]; + struct sk_option **opts = NULL; debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__, provider_path, sshkey_type(key), key->sk_flags, @@ -571,7 +653,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, if ((r = skp->sk_sign(alg, message, sizeof(message), key->sk_application, sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), - key->sk_flags, pin, &resp)) != 0) { + key->sk_flags, pin, opts, &resp)) != 0) { debug("%s: sk_sign failed with code %d", __func__, r); r = skerr_to_ssherr(r); goto out; @@ -617,6 +699,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, /* success */ r = 0; out: + sshsk_free_options(opts); explicit_bzero(message, sizeof(message)); sshsk_free(skp); sshsk_free_sign_response(resp); @@ -645,8 +728,8 @@ sshsk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks) } int -sshsk_load_resident(const char *provider_path, const char *pin, - struct sshkey ***keysp, size_t *nkeysp) +sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp) { struct sshsk_provider *skp = NULL; int r = SSH_ERR_INTERNAL_ERROR; @@ -654,6 +737,7 @@ sshsk_load_resident(const char *provider_path, const char *pin, size_t i, nrks = 0, nkeys = 0; struct sshkey *key = NULL, **keys = NULL, **tmp; uint8_t flags; + struct sk_option **opts = NULL; debug("%s: provider \"%s\"%s", __func__, provider_path, (pin != NULL && *pin != '\0') ? ", have-pin": ""); @@ -663,11 +747,13 @@ sshsk_load_resident(const char *provider_path, const char *pin, *keysp = NULL; *nkeysp = 0; + if ((r = make_options(device, NULL, &opts)) != 0) + goto out; if ((skp = sshsk_open(provider_path)) == NULL) { r = SSH_ERR_INVALID_FORMAT; /* XXX sshsk_open return code? */ goto out; } - if ((r = skp->sk_load_resident_keys(pin, &rks, &nrks)) != 0) { + if ((r = skp->sk_load_resident_keys(pin, opts, &rks, &nrks)) != 0) { error("Security key provider \"%s\" returned failure %d", provider_path, r); r = skerr_to_ssherr(r); @@ -710,6 +796,7 @@ sshsk_load_resident(const char *provider_path, const char *pin, nkeys = 0; r = 0; out: + sshsk_free_options(opts); sshsk_free(skp); sshsk_free_sk_resident_keys(rks, nrks); sshkey_free(key); diff --git a/ssh-sk.h b/ssh-sk.h index 348759a98..ea9ff6e1a 100644 --- a/ssh-sk.h +++ b/ssh-sk.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.h,v 1.8 2019/12/30 09:23:28 djm Exp $ */ +/* $OpenBSD: ssh-sk.h,v 1.9 2020/01/06 02:00:47 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -20,9 +20,10 @@ struct sshbuf; struct sshkey; +struct sk_option; /* Version of protocol expected from ssh-sk-helper */ -#define SSH_SK_HELPER_VERSION 3 +#define SSH_SK_HELPER_VERSION 4 /* ssh-sk-helper messages */ #define SSH_SK_HELPER_ERROR 0 /* Only valid H->C */ @@ -40,8 +41,9 @@ struct sshkey; * If successful and the attest_data buffer is not NULL then attestation * information is placed there. */ -int sshsk_enroll(int type, const char *provider_path, const char *application, - uint8_t flags, const char *pin, struct sshbuf *challenge_buf, +int sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, struct sshkey **keyp, struct sshbuf *attest); /* @@ -60,8 +62,8 @@ int sshsk_sign(const char *provider_path, struct sshkey *key, * * Returns 0 on success or a ssherr.h error code on failure. */ -int sshsk_load_resident(const char *provider_path, const char *pin, - struct sshkey ***keysp, size_t *nkeysp); +int sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp); #endif /* _SSH_SK_H */ -- cgit v1.2.3 From cd53476383f0cf475f40ba8ac8deb6b76dd5ce4e Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Mon, 6 Jan 2020 07:43:28 +0000 Subject: upstream: put the fido options in a list, and tidy up the text a little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb --- ssh-keygen.1 | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 92c516588..2e9894280 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -460,39 +460,37 @@ listed in the .Sx MODULI GENERATION section may be specified. .Pp -When generating a key that will be hosted on a FIDO authenticator, this -flag may be used to specify key-specific options. -The FIDO authenticator options are supported at present are: -.Pp -.Cm application -overrides the default FIDO application/origin string of +When generating a key that will be hosted on a FIDO authenticator, +this flag may be used to specify key-specific options. +Those supported at present are: +.Bl -tag -width Ds +.It Cm application +Override the default FIDO application/origin string of .Dq ssh: . -This option may be useful when generating host or domain-specific resident -keys. -.Cm device -explicitly specify a device to generate the key on, rather than accepting -the authenticator middleware's automatic selection. +This may be useful when generating host or domain-specific resident keys. +.It Cm device +Explicitly specify a .Xr fido 4 device to use, rather than letting the token middleware select one. -.Cm no-touch-required -indicates that the generated private key should not require touch +.It Cm no-touch-required +Indicate that the generated private key should not require touch events (user presence) when making signatures. Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. -.Pp -.Cm resident -indicates that the key should be stored on the FIDO authenticator itself. +.It Cm resident +Indicate that the key should be stored on the FIDO authenticator itself. Resident keys may be supported on FIDO2 tokens and typically require that a PIN be set on the token prior to generation. Resident keys may be loaded off the token using .Xr ssh-add 1 . -.Cm user -allows specification of a username to be associated with a resident key, +.It Cm user +A username to be associated with a resident key, overriding the empty default username. Specifying a username may be useful when generating multiple resident keys for the same application name. +.El .Pp The .Fl O -- cgit v1.2.3 From 0d005d6372a067b59123dec8fc6dc905f2c09e1e Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Tue, 14 Jan 2020 15:07:30 +0000 Subject: upstream: sync ssh-keygen.1 and ssh-keygen's usage() with each other and reality ok markus@ OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92 --- ssh-keygen.1 | 12 ++++++------ ssh-keygen.c | 11 +++++------ 2 files changed, 11 insertions(+), 12 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 2e9894280..125add8f9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.191 2020/01/14 15:07:30 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 6 2020 $ +.Dd $Mdocdate: January 14 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -48,9 +48,9 @@ .Op Fl C Ar comment .Op Fl f Ar output_keyfile .Op Fl m Ar format -.Op Fl O Ar option .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl N Ar new_passphrase +.Op Fl O Ar option .Op Fl w Ar provider .Nm ssh-keygen .Fl p @@ -104,12 +104,12 @@ .Nm ssh-keygen .Fl M Cm generate .Op Fl O Ar option -.Ar +.Ar output_file .Nm ssh-keygen .Fl M Cm screen -.Fl f Ar input_file +.Op Fl f Ar input_file .Op Fl O Ar option -.Ar +.Ar output_file .Nm ssh-keygen .Fl I Ar certificate_identity .Fl s Ar ca_key diff --git a/ssh-keygen.c b/ssh-keygen.c index d0ffa5cd7..6b497da10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.382 2020/01/06 02:00:46 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.383 2020/01/14 15:07:30 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -3009,7 +3009,7 @@ usage(void) fprintf(stderr, "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" " [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" - " [-N new_passphrase] [-w provider] [-x flags]\n" + " [-N new_passphrase] [-O option] [-w provider]\n" " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" " [-P old_passphrase]\n" " ssh-keygen -i [-f input_keyfile] [-m key_format]\n" @@ -3022,16 +3022,15 @@ usage(void) fprintf(stderr, " ssh-keygen -D pkcs11\n"); #endif - fprintf(stderr, - " ssh-keygen -K path [-w sk_provider]\n"); fprintf(stderr, " ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" " ssh-keygen -H [-f known_hosts_file]\n" + " ssh-keygen -K [-w provider]\n" " ssh-keygen -R hostname [-f known_hosts_file]\n" " ssh-keygen -r hostname [-g] [-f input_keyfile]\n" #ifdef WITH_OPENSSL - " ssh-keygen -M generate [-O option] output\n" - " ssh-keygen -M screen [-f input_file] [-O option] [-a rounds] output_file\n" + " ssh-keygen -M generate [-O option] output_file\n" + " ssh-keygen -M screen [-f input_file] [-O option] output_file\n" #endif " ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" " [-n principals] [-O option] [-V validity_interval]\n" -- cgit v1.2.3 From 84911da1beeb6ed258a43468efb316cd39fb6855 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Sat, 18 Jan 2020 15:45:41 +0000 Subject: upstream: undo merge error and replace the term "security key" again OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395 --- ssh-keygen.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 125add8f9..1827a8fee 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.191 2020/01/14 15:07:30 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.192 2020/01/18 15:45:41 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 14 2020 $ +.Dd $Mdocdate: January 18 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -923,7 +923,7 @@ Allows X11 forwarding. .It Ic no-touch-required Do not require signatures made using this key require demonstration of user presence (e.g. by having the user touch the key). -This option only makes sense for the Security Key algorithms +This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . -- cgit v1.2.3 From b715fdc71bbd009d0caff691ab3fc04903c4aee8 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Sat, 18 Jan 2020 21:16:43 +0000 Subject: upstream: one more replacement "(security) key" -> "(FIDO) authenticator" OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd --- ssh-keygen.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1827a8fee..c0a22606b 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.192 2020/01/18 15:45:41 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.193 2020/01/18 21:16:43 naddy Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -922,7 +922,7 @@ Allows X11 forwarding. .Pp .It Ic no-touch-required Do not require signatures made using this key require demonstration -of user presence (e.g. by having the user touch the key). +of user presence (e.g. by having the user touch the authenticator). This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and -- cgit v1.2.3 From 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 23 Jan 2020 02:43:48 +0000 Subject: upstream: add a new signature operations "find-principal" to look up the principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@ OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d --- ssh-keygen.1 | 19 +++++++++- ssh-keygen.c | 84 +++++++++++++++++++++++++++++++++++++----- sshsig.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 209 insertions(+), 11 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c0a22606b..33e3f5375 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.193 2020/01/18 21:16:43 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.194 2020/01/23 02:43:48 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 18 2020 $ +.Dd $Mdocdate: January 23 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -138,6 +138,10 @@ .Fl f Ar krl_file .Ar .Nm ssh-keygen +.Fl Y Cm find-principal +.Fl s Ar signature_file +.Fl f Ar allowed_signers_file +.Nm ssh-keygen .Fl Y Cm check-novalidate .Fl n Ar namespace .Fl s Ar signature_file @@ -614,6 +618,17 @@ The maximum is 3. Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. +.It Fl Y Cm find-principal +Find the principal associated with the public key of a signature, +provided using the +.Fl s +flag in an authorized signers file provided using the +.Fl f +flag. +The format of the allowed signers file is documented in the +.Sx ALLOWED SIGNERS +section below. If a matching principal is found, it is returned +on standard output. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 04492979b..eebd89a27 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.385 2020/01/22 04:51:51 claudio Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.386 2020/01/23 02:43:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2599,7 +2599,7 @@ sign_one(struct sshkey *signkey, const char *filename, int fd, } static int -sign(const char *keypath, const char *sig_namespace, int argc, char **argv) +sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv) { int i, fd = -1, r, ret = -1; int agent_fd = -1; @@ -2670,8 +2670,8 @@ done: } static int -verify(const char *signature, const char *sig_namespace, const char *principal, - const char *allowed_keys, const char *revoked_keys) +sig_verify(const char *signature, const char *sig_namespace, + const char *principal, const char *allowed_keys, const char *revoked_keys) { int r, ret = -1, sigfd = -1; struct sshbuf *sigbuf = NULL, *abuf = NULL; @@ -2694,7 +2694,7 @@ verify(const char *signature, const char *sig_namespace, const char *principal, } if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { error("%s: sshsig_armor: %s", __func__, ssh_err(r)); - return r; + goto done; } if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, &sign_key, &sig_details)) != 0) @@ -2757,6 +2757,57 @@ done: return ret; } +static int +sig_find_principal(const char *signature, const char *allowed_keys) { + int r, ret = -1, sigfd = -1; + struct sshbuf *sigbuf = NULL, *abuf = NULL; + struct sshkey *sign_key = NULL; + char *principal = NULL; + + if ((abuf = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new() failed", __func__); + + if ((sigfd = open(signature, O_RDONLY)) < 0) { + error("Couldn't open signature file %s", signature); + goto done; + } + + if ((r = sshkey_load_file(sigfd, abuf)) != 0) { + error("Couldn't read signature file: %s", ssh_err(r)); + goto done; + } + if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { + error("%s: sshsig_armor: %s", __func__, ssh_err(r)); + goto done; + } + if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) { + error("%s: sshsig_get_pubkey: %s", + __func__, ssh_err(r)); + goto done; + } + + if ((r = sshsig_find_principal(allowed_keys, sign_key, + &principal)) != 0) { + error("%s: sshsig_get_principal: %s", + __func__, ssh_err(r)); + goto done; + } + ret = 0; +done: + if (ret == 0 ) { + printf("Found matching principal: %s\n", principal); + } else { + printf("Could not find matching principal.\n"); + } + if (sigfd != -1) + close(sigfd); + sshbuf_free(sigbuf); + sshbuf_free(abuf); + sshkey_free(sign_key); + free(principal); + return ret; +} + static void do_moduli_gen(const char *out_file, char **opts, size_t nopts) { @@ -3042,6 +3093,7 @@ usage(void) " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" " ssh-keygen -Q -f krl_file file ...\n" + " ssh-keygen -Y find-principal -s signature_file -f allowed_signers_file\n" " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" " ssh-keygen -Y sign -f key_file -n namespace file ...\n" " ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" @@ -3305,6 +3357,19 @@ main(int argc, char **argv) argc -= optind; if (sign_op != NULL) { + if (strncmp(sign_op, "find-principal", 14) == 0) { + if (ca_key_path == NULL) { + error("Too few arguments for find-principal:" + "missing signature file"); + exit(1); + } + if (!have_identity) { + error("Too few arguments for find-principal:" + "missing allowed keys file"); + exit(1); + } + return sig_find_principal(ca_key_path, identity_file); + } if (cert_principals == NULL || *cert_principals == '\0') { error("Too few arguments for sign/verify: " "missing namespace"); @@ -3316,15 +3381,16 @@ main(int argc, char **argv) "missing key"); exit(1); } - return sign(identity_file, cert_principals, argc, argv); + return sig_sign(identity_file, cert_principals, + argc, argv); } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { if (ca_key_path == NULL) { error("Too few arguments for check-novalidate: " "missing signature file"); exit(1); } - return verify(ca_key_path, cert_principals, - NULL, NULL, NULL); + return sig_verify(ca_key_path, cert_principals, + NULL, NULL, NULL); } else if (strncmp(sign_op, "verify", 6) == 0) { if (ca_key_path == NULL) { error("Too few arguments for verify: " @@ -3341,7 +3407,7 @@ main(int argc, char **argv) "missing principal ID"); exit(1); } - return verify(ca_key_path, cert_principals, + return sig_verify(ca_key_path, cert_principals, cert_key_id, identity_file, rr_hostname); } usage(); diff --git a/sshsig.c b/sshsig.c index 6d72f92f5..e9f4baa76 100644 --- a/sshsig.c +++ b/sshsig.c @@ -866,3 +866,120 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, free(line); return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; } + +static int +get_matching_principal_from_line(const char *path, u_long linenum, char *line, + const struct sshkey *sign_key, char **principalsp) +{ + struct sshkey *found_key = NULL; + char *principals = NULL; + int r, found = 0; + const char *reason = NULL; + struct sshsigopt *sigopts = NULL; + + if (principalsp != NULL) + *principalsp = NULL; + + /* Parse the line */ + if ((r = parse_principals_key_and_options(path, linenum, line, + NULL, &principals, &found_key, &sigopts)) != 0) { + /* error already logged */ + goto done; + } + + if (!sigopts->ca && sshkey_equal(found_key, sign_key)) { + /* Exact match of key */ + debug("%s:%lu: matched key", path, linenum); + /* success */ + found = 1; + } else if (sigopts->ca && sshkey_is_cert(sign_key) && + sshkey_equal_public(sign_key->cert->signature_key, found_key)) { + /* Match of certificate's CA key */ + if ((r = sshkey_cert_check_authority(sign_key, 0, 1, + principals, &reason)) != 0) { + error("%s:%lu: certificate not authorized: %s", + path, linenum, reason); + goto done; + } + debug("%s:%lu: matched certificate CA key", path, linenum); + /* success */ + found = 1; + } else { + /* Key didn't match */ + goto done; + } + done: + if (found) { + *principalsp = principals; + principals = NULL; /* transferred */ + } + free(principals); + sshkey_free(found_key); + sshsigopt_free(sigopts); + return found ? 0 : SSH_ERR_KEY_NOT_FOUND; +} + +int +sshsig_find_principal(const char *path, const struct sshkey *sign_key, + char **principal) +{ + FILE *f = NULL; + char *line = NULL; + size_t linesize = 0; + u_long linenum = 0; + int r, oerrno; + + if ((f = fopen(path, "r")) == NULL) { + oerrno = errno; + error("Unable to open allowed keys file \"%s\": %s", + path, strerror(errno)); + errno = oerrno; + return SSH_ERR_SYSTEM_ERROR; + } + + while (getline(&line, &linesize, f) != -1) { + linenum++; + r = get_matching_principal_from_line(path, linenum, line, + sign_key, principal); + free(line); + line = NULL; + if (r == SSH_ERR_KEY_NOT_FOUND) + continue; + else if (r == 0) { + /* success */ + fclose(f); + return 0; + } else + break; + } + free(line); + /* Either we hit an error parsing or we simply didn't find the key */ + if (ferror(f) != 0) { + oerrno = errno; + fclose(f); + error("Unable to read allowed keys file \"%s\": %s", + path, strerror(errno)); + errno = oerrno; + return SSH_ERR_SYSTEM_ERROR; + } + fclose(f); + return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; +} + +int +sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey) +{ + struct sshkey *pk = NULL; + int r = SSH_ERR_SIGNATURE_INVALID; + + if (pubkey != NULL) + *pubkey = NULL; + if ((r = sshsig_parse_preamble(signature)) != 0) + return r; + if ((r = sshkey_froms(signature, &pk)) != 0) + return r; + + *pubkey = pk; + pk = NULL; + return 0; +} -- cgit v1.2.3 From 5533c2fb7ef21172fa3708d66b03faa2c6b3d93f Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Thu, 23 Jan 2020 07:16:38 +0000 Subject: upstream: new sentence, new line; OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925 --- ssh-keygen.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 33e3f5375..5d33902f7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.194 2020/01/23 02:43:48 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.195 2020/01/23 07:16:38 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -627,8 +627,8 @@ flag in an authorized signers file provided using the flag. The format of the allowed signers file is documented in the .Sx ALLOWED SIGNERS -section below. If a matching principal is found, it is returned -on standard output. +section below. +If a matching principal is found, it is returned on standard output. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm -- cgit v1.2.3 From 72a8bea2d748c8bd7f076a8b39a52082c79ae95f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 23 Jan 2020 23:31:52 +0000 Subject: upstream: ssh-keygen -Y find-principals fixes based on feedback from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@ OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf --- ssh-keygen.1 | 11 +++++---- ssh-keygen.c | 27 +++++++++++----------- sshsig.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++--------- sshsig.h | 5 ++-- 4 files changed, 84 insertions(+), 33 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 5d33902f7..b4a873920 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.195 2020/01/23 07:16:38 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.196 2020/01/23 23:31:52 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -138,7 +138,7 @@ .Fl f Ar krl_file .Ar .Nm ssh-keygen -.Fl Y Cm find-principal +.Fl Y Cm find-principals .Fl s Ar signature_file .Fl f Ar allowed_signers_file .Nm ssh-keygen @@ -618,8 +618,8 @@ The maximum is 3. Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. -.It Fl Y Cm find-principal -Find the principal associated with the public key of a signature, +.It Fl Y Cm find-principals +Find the principal(s) associated with the public key of a signature, provided using the .Fl s flag in an authorized signers file provided using the @@ -628,7 +628,8 @@ flag. The format of the allowed signers file is documented in the .Sx ALLOWED SIGNERS section below. -If a matching principal is found, it is returned on standard output. +If one or more matching principals are found, they are returned on +standard output. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index ce94a5ab0..363da70db 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.387 2020/01/23 07:54:04 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.388 2020/01/23 23:31:52 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2758,11 +2758,11 @@ done: } static int -sig_find_principal(const char *signature, const char *allowed_keys) { +sig_find_principals(const char *signature, const char *allowed_keys) { int r, ret = -1, sigfd = -1; struct sshbuf *sigbuf = NULL, *abuf = NULL; struct sshkey *sign_key = NULL; - char *principal = NULL; + char *principals = NULL; if ((abuf = sshbuf_new()) == NULL) fatal("%s: sshbuf_new() failed", __func__); @@ -2782,12 +2782,11 @@ sig_find_principal(const char *signature, const char *allowed_keys) { } if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) { error("%s: sshsig_get_pubkey: %s", - __func__, ssh_err(r)); + __func__, ssh_err(r)); goto done; } - - if ((r = sshsig_find_principal(allowed_keys, sign_key, - &principal)) != 0) { + if ((r = sshsig_find_principals(allowed_keys, sign_key, + &principals)) != 0) { error("%s: sshsig_get_principal: %s", __func__, ssh_err(r)); goto done; @@ -2795,7 +2794,7 @@ sig_find_principal(const char *signature, const char *allowed_keys) { ret = 0; done: if (ret == 0 ) { - printf("Found matching principal: %s\n", principal); + printf("Found matching principal: %s\n", principals); } else { printf("Could not find matching principal.\n"); } @@ -2804,7 +2803,7 @@ done: sshbuf_free(sigbuf); sshbuf_free(abuf); sshkey_free(sign_key); - free(principal); + free(principals); return ret; } @@ -3093,7 +3092,7 @@ usage(void) " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" " ssh-keygen -Q -f krl_file file ...\n" - " ssh-keygen -Y find-principal -s signature_file -f allowed_signers_file\n" + " ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n" " ssh-keygen -Y check-novalidate -n namespace -s signature_file\n" " ssh-keygen -Y sign -f key_file -n namespace file ...\n" " ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n" @@ -3357,18 +3356,18 @@ main(int argc, char **argv) argc -= optind; if (sign_op != NULL) { - if (strncmp(sign_op, "find-principal", 14) == 0) { + if (strncmp(sign_op, "find-principals", 15) == 0) { if (ca_key_path == NULL) { - error("Too few arguments for find-principal:" + error("Too few arguments for find-principals:" "missing signature file"); exit(1); } if (!have_identity) { - error("Too few arguments for find-principal:" + error("Too few arguments for find-principals:" "missing allowed keys file"); exit(1); } - return sig_find_principal(ca_key_path, identity_file); + return sig_find_principals(ca_key_path, identity_file); } if (cert_principals == NULL || *cert_principals == '\0') { error("Too few arguments for sign/verify: " diff --git a/sshsig.c b/sshsig.c index e9f4baa76..e63a36e1e 100644 --- a/sshsig.c +++ b/sshsig.c @@ -868,13 +868,64 @@ sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, } static int -get_matching_principal_from_line(const char *path, u_long linenum, char *line, +cert_filter_principals(const char *path, u_long linenum, + char **principalsp, const struct sshkey *cert) +{ + char *cp, *oprincipals, *principals; + const char *reason; + struct sshbuf *nprincipals; + int r = SSH_ERR_INTERNAL_ERROR, success = 0; + + oprincipals = principals = *principalsp; + *principalsp = NULL; + + if ((nprincipals = sshbuf_new()) == NULL) + return SSH_ERR_ALLOC_FAIL; + + while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') { + if (strcspn(cp, "!?*") != strlen(cp)) { + debug("%s:%lu: principal \"%s\" not authorized: " + "contains wildcards", path, linenum, cp); + continue; + } + /* Check against principals list in certificate */ + if ((r = sshkey_cert_check_authority(cert, 0, 1, + cp, &reason)) != 0) { + debug("%s:%lu: principal \"%s\" not authorized: %s", + path, linenum, cp, reason); + continue; + } + if ((r = sshbuf_putf(nprincipals, "%s%s", + sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) { + error("%s: buffer error", __func__); + goto out; + } + } + if (sshbuf_len(nprincipals) == 0) { + error("%s:%lu: no valid principals found", path, linenum); + r = SSH_ERR_KEY_CERT_INVALID; + goto out; + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error("%s: buffer error", __func__); + goto out; + } + /* success */ + success = 1; + *principalsp = principals; + out: + sshbuf_free(nprincipals); + free(oprincipals); + return success ? 0 : r; +} + +static int +get_matching_principals_from_line(const char *path, u_long linenum, char *line, const struct sshkey *sign_key, char **principalsp) { struct sshkey *found_key = NULL; char *principals = NULL; int r, found = 0; - const char *reason = NULL; struct sshsigopt *sigopts = NULL; if (principalsp != NULL) @@ -894,11 +945,12 @@ get_matching_principal_from_line(const char *path, u_long linenum, char *line, found = 1; } else if (sigopts->ca && sshkey_is_cert(sign_key) && sshkey_equal_public(sign_key->cert->signature_key, found_key)) { - /* Match of certificate's CA key */ - if ((r = sshkey_cert_check_authority(sign_key, 0, 1, - principals, &reason)) != 0) { - error("%s:%lu: certificate not authorized: %s", - path, linenum, reason); + /* Remove principals listed in file but not allowed by cert */ + if ((r = cert_filter_principals(path, linenum, + &principals, sign_key)) != 0) { + /* error already displayed */ + debug("%s:%lu: cert_filter_principals: %s", + path, linenum, ssh_err(r)); goto done; } debug("%s:%lu: matched certificate CA key", path, linenum); @@ -920,8 +972,8 @@ get_matching_principal_from_line(const char *path, u_long linenum, char *line, } int -sshsig_find_principal(const char *path, const struct sshkey *sign_key, - char **principal) +sshsig_find_principals(const char *path, const struct sshkey *sign_key, + char **principals) { FILE *f = NULL; char *line = NULL; @@ -939,8 +991,8 @@ sshsig_find_principal(const char *path, const struct sshkey *sign_key, while (getline(&line, &linesize, f) != -1) { linenum++; - r = get_matching_principal_from_line(path, linenum, line, - sign_key, principal); + r = get_matching_principals_from_line(path, linenum, line, + sign_key, principals); free(line); line = NULL; if (r == SSH_ERR_KEY_NOT_FOUND) diff --git a/sshsig.h b/sshsig.h index 939e3dfe0..63cc1ad1a 100644 --- a/sshsig.h +++ b/sshsig.h @@ -93,13 +93,12 @@ struct sshsigopt *sshsigopt_parse(const char *opts, void sshsigopt_free(struct sshsigopt *opts); /* Get public key from signature */ -int -sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey); +int sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey); /* Find principal in allowed_keys file, given a sshkey. Returns * 0 on success. */ -int sshsig_find_principal(const char *path, const struct sshkey *sign_key, +int sshsig_find_principals(const char *path, const struct sshkey *sign_key, char **principal); #endif /* SSHSIG_H */ -- cgit v1.2.3 From 24c0f752adf9021277a7b0a84931bb5fe48ea379 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 28 Jan 2020 08:01:34 +0000 Subject: upstream: changes to support FIDO attestation Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6 --- PROTOCOL.u2f | 21 ++++++++++++--------- sk-usbhid.c | 1 + ssh-keygen.1 | 16 ++++++++++++++-- ssh-keygen.c | 36 +++++++++++++++++++++++++++++++++--- ssh-sk.c | 10 +++++----- 5 files changed, 65 insertions(+), 19 deletions(-) (limited to 'ssh-keygen.1') diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 58f75ba28..748111d56 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -141,17 +141,20 @@ least manufacturer and batch number granularity. For this reason, we choose not to include this information in the public key or save it by default. -Attestation information is very useful however in an organisational -context, where it may be used by a CA as part of certificate -issuance. In this case, exposure to the CA of hardware identity is -desirable. To support this case, OpenSSH optionally allows retaining the -attestation information at the time of key generation. It will take the -following format: - - string "sk-attest-v00" - uint32 version (1 for U2F, 2 for FIDO2 in future) +Attestation information is useful for out-of-band key and certificate +registration worksflows, e.g. proving to a CA that a key is backed +by trusted hardware before it will issue a certificate. To support this +case, OpenSSH optionally allows retaining the attestation information +at the time of key generation. It will take the following format: + + string "ssh-sk-attest-v00" string attestation certificate string enrollment signature + uint32 reserved flags + string reserved string + +OpenSSH treats the attestation certificate and enrollment signatures as +opaque objects and does no interpretation of them itself. SSH U2F signatures ------------------ diff --git a/sk-usbhid.c b/sk-usbhid.c index 2148e1d79..ad83054ad 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -570,6 +570,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, } if ((ptr = fido_cred_x5c_ptr(cred)) != NULL) { len = fido_cred_x5c_len(cred); + debug3("%s: attestation cert len=%zu", __func__, len); if ((response->attestation_cert = calloc(1, len)) == NULL) { skdebug(__func__, "calloc attestation cert failed"); goto out; diff --git a/ssh-keygen.1 b/ssh-keygen.1 index b4a873920..c6a976183 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.196 2020/01/23 23:31:52 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 23 2020 $ +.Dd $Mdocdate: January 28 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -483,6 +483,14 @@ Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. +.It Cm challenge=path +Specifies a path to a challenge string that will be passed to the +FIDO token during key generation. +The challenge string is optional, but may be used as part of an out-of-band +protocol for key enrollment. +If no +.Cm challenge +is specified, a random challenge is used. .It Cm resident Indicate that the key should be stored on the FIDO authenticator itself. Resident keys may be supported on FIDO2 tokens and typically require that @@ -494,6 +502,10 @@ A username to be associated with a resident key, overriding the empty default username. Specifying a username may be useful when generating multiple resident keys for the same application name. +.It Cm write-attestation=path +May be used at key generation time to record the attestation certificate +returned from FIDO tokens during key generation. +By default this information is discarded. .El .Pp The diff --git a/ssh-keygen.c b/ssh-keygen.c index 8df55f2c2..4ee43ab98 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.394 2020/01/25 23:13:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.395 2020/01/28 08:01:34 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -3114,6 +3114,8 @@ main(int argc, char **argv) unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; + char *sk_attestaion_path = NULL; + struct sshbuf *challenge = NULL, *attest = NULL; size_t i, nopts = 0; u_int32_t bits = 0; uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; @@ -3557,6 +3559,16 @@ main(int argc, char **argv) sk_device = xstrdup(opts[i] + 7); } else if (strncasecmp(opts[i], "user=", 5) == 0) { sk_user = xstrdup(opts[i] + 5); + } else if (strncasecmp(opts[i], "challenge=", 10) == 0) { + if ((r = sshbuf_load_file(opts[i] + 10, + &challenge)) != 0) { + fatal("Unable to load FIDO enrollment " + "challenge \"%s\": %s", + opts[i] + 10, ssh_err(r)); + } + } else if (strncasecmp(opts[i], + "write-attestation=", 18) == 0) { + sk_attestaion_path = opts[i] + 18; } else if (strncasecmp(opts[i], "application=", 12) == 0) { sk_application = xstrdup(opts[i] + 12); @@ -3570,12 +3582,14 @@ main(int argc, char **argv) "to authorize key generation.\n"); } passphrase = NULL; + if ((attest = sshbuf_new()) == NULL) + fatal("sshbuf_new failed"); for (i = 0 ; i < 3; i++) { fflush(stdout); r = sshsk_enroll(type, sk_provider, sk_device, sk_application == NULL ? "ssh:" : sk_application, - sk_user, sk_flags, passphrase, NULL, - &private, NULL); + sk_user, sk_flags, passphrase, challenge, + &private, attest); if (r == 0) break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) @@ -3668,6 +3682,22 @@ main(int argc, char **argv) free(fp); } + if (sk_attestaion_path != NULL) { + if (attest == NULL || sshbuf_len(attest) == 0) { + fatal("Enrollment did not return attestation " + "certificate"); + } + if ((r = sshbuf_write_file(sk_attestaion_path, attest)) != 0) { + fatal("Unable to write attestation certificate " + "\"%s\": %s", sk_attestaion_path, ssh_err(r)); + } + if (!quiet) { + printf("Your FIDO attestation certificate has been " + "saved in %s\n", sk_attestaion_path); + } + } + sshbuf_free(attest); sshkey_free(public); + exit(0); } diff --git a/ssh-sk.c b/ssh-sk.c index a8d4de832..3e88aafff 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.25 2020/01/25 23:13:09 djm Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -504,14 +504,14 @@ sshsk_enroll(int type, const char *provider_path, const char *device, /* Optionally fill in the attestation information */ if (attest != NULL) { - if ((r = sshbuf_put_cstring(attest, "sk-attest-v00")) != 0 || - (r = sshbuf_put_u32(attest, 1)) != 0 || /* XXX U2F ver */ + if ((r = sshbuf_put_cstring(attest, + "ssh-sk-attest-v00")) != 0 || (r = sshbuf_put_string(attest, resp->attestation_cert, resp->attestation_cert_len)) != 0 || (r = sshbuf_put_string(attest, resp->signature, resp->signature_len)) != 0 || - (r = sshbuf_put_u32(attest, flags)) != 0 || /* XXX right? */ - (r = sshbuf_put_string(attest, NULL, 0)) != 0) { + (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ + (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { error("%s: buffer error: %s", __func__, ssh_err(r)); goto out; } -- cgit v1.2.3 From 0facae7bc8d3f8f9d02d0f6bed3d163ff7f39806 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Sun, 2 Feb 2020 07:36:50 +0000 Subject: upstream: shuffle the challenge keyword to keep the -O list sorted; OpenBSD-Commit-ID: 08efad608b790949a9a048d65578fae9ed5845fe --- ssh-keygen.1 | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c6a976183..3494fbceb 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.198 2020/02/02 07:36:50 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 28 2020 $ +.Dd $Mdocdate: February 2 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -472,6 +472,14 @@ Those supported at present are: Override the default FIDO application/origin string of .Dq ssh: . This may be useful when generating host or domain-specific resident keys. +.It Cm challenge=path +Specifies a path to a challenge string that will be passed to the +FIDO token during key generation. +The challenge string is optional, but may be used as part of an out-of-band +protocol for key enrollment. +If no +.Cm challenge +is specified, a random challenge is used. .It Cm device Explicitly specify a .Xr fido 4 @@ -483,14 +491,6 @@ Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. -.It Cm challenge=path -Specifies a path to a challenge string that will be passed to the -FIDO token during key generation. -The challenge string is optional, but may be used as part of an out-of-band -protocol for key enrollment. -If no -.Cm challenge -is specified, a random challenge is used. .It Cm resident Indicate that the key should be stored on the FIDO authenticator itself. Resident keys may be supported on FIDO2 tokens and typically require that -- cgit v1.2.3 From 072f3b832d2a4db8d9880effcb6c4d0dad676504 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Mon, 3 Feb 2020 08:15:37 +0000 Subject: upstream: use better markup for challenge and write-attestation, and rejig the challenge text a little; ok djm OpenBSD-Commit-ID: 9f351e6da9edfdc907d5c3fdaf2e9ff3ab0a7a6f --- ssh-keygen.1 | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3494fbceb..f0e76aab1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.198 2020/02/02 07:36:50 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.199 2020/02/03 08:15:37 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 2 2020 $ +.Dd $Mdocdate: February 3 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -472,14 +472,12 @@ Those supported at present are: Override the default FIDO application/origin string of .Dq ssh: . This may be useful when generating host or domain-specific resident keys. -.It Cm challenge=path +.It Cm challenge Ns = Ns Ar path Specifies a path to a challenge string that will be passed to the FIDO token during key generation. -The challenge string is optional, but may be used as part of an out-of-band -protocol for key enrollment. -If no -.Cm challenge -is specified, a random challenge is used. +The challenge string may be used as part of an out-of-band +protocol for key enrollment +(a random challenge is used by default). .It Cm device Explicitly specify a .Xr fido 4 @@ -502,7 +500,7 @@ A username to be associated with a resident key, overriding the empty default username. Specifying a username may be useful when generating multiple resident keys for the same application name. -.It Cm write-attestation=path +.It Cm write-attestation Ns = Ns Ar path May be used at key generation time to record the attestation certificate returned from FIDO tokens during key generation. By default this information is discarded. -- cgit v1.2.3 From d596b1d30dc158915a3979fa409d21ff2465b6ee Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 4 Feb 2020 09:58:04 +0000 Subject: upstream: require FIDO application strings to start with "ssh:"; ok markus@ OpenBSD-Commit-ID: 94e9c1c066d42b76f035a3d58250a32b14000afb --- ssh-keygen.1 | 6 ++++-- ssh-keygen.c | 6 +++++- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f0e76aab1..51aee21aa 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.199 2020/02/03 08:15:37 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.200 2020/02/04 09:58:04 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 3 2020 $ +.Dd $Mdocdate: February 4 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -472,6 +472,8 @@ Those supported at present are: Override the default FIDO application/origin string of .Dq ssh: . This may be useful when generating host or domain-specific resident keys. +The specified application string must begin with +.Dq ssh: . .It Cm challenge Ns = Ns Ar path Specifies a path to a challenge string that will be passed to the FIDO token during key generation. diff --git a/ssh-keygen.c b/ssh-keygen.c index 4ee43ab98..2a64622c1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.395 2020/01/28 08:01:34 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.396 2020/02/04 09:58:04 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -3572,6 +3572,10 @@ main(int argc, char **argv) } else if (strncasecmp(opts[i], "application=", 12) == 0) { sk_application = xstrdup(opts[i] + 12); + if (strncmp(sk_application, "ssh:", 4) != 0) { + fatal("FIDO application string must " + "begin with \"ssh:\""); + } } else { fatal("Option \"%s\" is unsupported for " "FIDO authenticator enrollment", opts[i]); -- cgit v1.2.3 From 963d71851e727ffdd2a97fe0898fad61d4a70ba1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 7 Feb 2020 03:57:31 +0000 Subject: upstream: sync the description of the $SSH_SK_PROVIDER environment variable with that of the SecurityKeyProvider ssh/sshd_config(5) directive, as the latter was more descriptive. OpenBSD-Commit-ID: 0488f09530524a7e53afca6b6e1780598022552f --- ssh-add.1 | 8 +++++--- ssh-keygen.1 | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-add.1 b/ssh-add.1 index 7c592d8db..58d42138e 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.78 2020/01/17 20:13:47 naddy Exp $ +.\" $OpenBSD: ssh-add.1,v 1.79 2020/02/07 03:57:31 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 17 2020 $ +.Dd $Mdocdate: February 7 2020 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -199,7 +199,9 @@ Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. .It Ev SSH_SK_PROVIDER -Specifies the path to a library used to interact with FIDO authenticators. +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .El .Sh FILES .Bl -tag -width Ds -compact diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 51aee21aa..7af564297 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.200 2020/02/04 09:58:04 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.201 2020/02/07 03:57:31 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: February 4 2020 $ +.Dd $Mdocdate: February 7 2020 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -1116,7 +1116,9 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41... .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev SSH_SK_PROVIDER -Specifies the path to a library used to interact with FIDO authenticators. +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .El .Sh FILES .Bl -tag -width Ds -compact -- cgit v1.2.3