From 516605f2d596884cedc2beed6b262716ec76f63d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 10 Dec 2019 22:37:20 +0000 Subject: upstream: when acting as a CA and using a security key as the CA key, remind the user to touch they key to authorise the signature. OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1 --- ssh-keygen.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ssh-keygen.c b/ssh-keygen.c index a5d09c2a1..e90b85ffa 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.373 2019/11/25 00:57:27 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1735,10 +1735,12 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, int r, i, fd, found, agent_fd = -1; u_int n; struct sshkey *ca, *public; - char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL; + char valid[64], *otmp, *tmp, *cp, *out, *comment; + char *ca_fp = NULL, **plist = NULL; FILE *f; struct ssh_identitylist *agent_ids; size_t j; + struct notifier_ctx *notifier = NULL; #ifdef ENABLE_PKCS11 pkcs11_init(1); @@ -1784,6 +1786,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, fatal("CA key type %s doesn't match specified %s", sshkey_ssh_name(ca), key_type_name); } + ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT); for (i = 0; i < argc; i++) { /* Split list of principals */ @@ -1834,8 +1837,16 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, fatal("Couldn't certify key %s via agent: %s", tmp, ssh_err(r)); } else { - if ((r = sshkey_certify(public, ca, key_type_name, - sk_provider)) != 0) + if (sshkey_is_sk(ca) && + (ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { + notifier = notify_start(0, + "Confirm user presence for key %s %s", + sshkey_type(ca), ca_fp); + } + r = sshkey_certify(public, ca, key_type_name, + sk_provider); + notify_complete(notifier); + if (r != 0) fatal("Couldn't certify key %s: %s", tmp, ssh_err(r)); } @@ -1873,6 +1884,7 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, if (cert_serial_autoinc) cert_serial++; } + free(ca_fp); #ifdef ENABLE_PKCS11 pkcs11_terminate(); #endif -- cgit v1.2.3