From daeaf4136927c2a82af1399022103d67ff03f74a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 25 Nov 2019 00:55:58 +0000
Subject: upstream: allow "ssh-keygen -x no-touch-required" when generating a

security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.

feedback deraadt; ok markus@

OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
---
 ssh-keygen.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

(limited to 'ssh-keygen.c')

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 16d196fc8..e939c5b57 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2810,6 +2810,7 @@ main(int argc, char **argv)
 	unsigned long long ull, cert_serial = 0;
 	char *identity_comment = NULL, *ca_key_path = NULL;
 	u_int32_t bits = 0;
+	uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
 	FILE *f;
 	const char *errstr;
 	int log_level = SYSLOG_LEVEL_INFO;
@@ -2822,9 +2823,6 @@ main(int argc, char **argv)
 	unsigned long start_lineno = 0, lines_to_process = 0;
 	BIGNUM *start = NULL;
 #endif
-#ifdef ENABLE_SK
-	uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
-#endif
 
 	extern int optind;
 	extern char *optarg;
@@ -3015,15 +3013,19 @@ main(int argc, char **argv)
 		case 'x':
 			if (*optarg == '\0')
 				fatal("Missing security key flags");
-			ull = strtoull(optarg, &ep, 0);
-			if (*ep != '\0')
-				fatal("Security key flags \"%s\" is not a "
-				    "number", optarg);
-			if (ull > 0xff)
-				fatal("Invalid security key flags 0x%llx", ull);
-#ifdef ENABLE_SK
-			sk_flags = (uint8_t)ull;
-#endif
+			if (strcasecmp(optarg, "no-touch-required") == 0)
+				sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
+			else {
+				ull = strtoull(optarg, &ep, 0);
+				if (*ep != '\0')
+					fatal("Security key flags \"%s\" is "
+					    "not a number", optarg);
+				if (ull > 0xff) {
+					fatal("Invalid security key "
+					    "flags 0x%llx", ull);
+				}
+				sk_flags = (uint8_t)ull;
+			}
 			break;
 		case 'z':
 			errno = 0;
-- 
cgit v1.2.3