diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:54:23 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
| commit | 2e71263b80fec7ad977e098004fef7d122169d40 (patch) | |
| tree | b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /auth-options.c | |
| parent | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff) | |
| download | openssh-git-2e71263b80fec7ad977e098004fef7d122169d40.tar.gz | |
upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.
feedback deraadt, ok markus
OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/auth-options.c b/auth-options.c index 90b0d7f2..2d200944 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller <djm@mindrot.org> * @@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, name, sshbuf_len(data)); found = 0; if ((which & OPTIONS_EXTENSIONS) != 0) { - if (strcmp(name, "permit-X11-forwarding") == 0) { + if (strcmp(name, "no-touch-required") == 0) { + opts->no_require_user_presence = 1; + found = 1; + } else if (strcmp(name, "permit-X11-forwarding") == 0) { opts->permit_x11_forwarding_flag = 1; found = 1; } else if (strcmp(name, @@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) ret->permit_agent_forwarding_flag = r == 1; } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { ret->permit_x11_forwarding_flag = r == 1; + } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { + ret->no_require_user_presence = r != 1; /* NB. flip */ } else if ((r = opt_flag("pty", 1, &opts)) != -1) { ret->permit_pty_flag = r == 1; } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { @@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary, goto alloc_fail; } - /* Flags are logical-AND (i.e. must be set in both for permission) */ -#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1) - OPTFLAG(permit_port_forwarding_flag); - OPTFLAG(permit_agent_forwarding_flag); - OPTFLAG(permit_x11_forwarding_flag); - OPTFLAG(permit_pty_flag); - OPTFLAG(permit_user_rc); -#undef OPTFLAG +#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) + /* Permissive flags are logical-AND (i.e. must be set in both) */ + OPTFLAG_AND(permit_port_forwarding_flag); + OPTFLAG_AND(permit_agent_forwarding_flag); + OPTFLAG_AND(permit_x11_forwarding_flag); + OPTFLAG_AND(permit_pty_flag); + OPTFLAG_AND(permit_user_rc); + OPTFLAG_AND(no_require_user_presence); +#undef OPTFLAG_AND /* Earliest expiry time should win */ if (primary->valid_before != 0) @@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig) OPTSCALAR(cert_authority); OPTSCALAR(force_tun_device); OPTSCALAR(valid_before); + OPTSCALAR(no_require_user_presence); #undef OPTSCALAR #define OPTSTRING(x) \ do { \ @@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, { int r = SSH_ERR_INTERNAL_ERROR; - /* Flag and simple integer options */ + /* Flag options */ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || @@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || (r = sshbuf_put_u8(m, opts->restricted)) != 0 || (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || - (r = sshbuf_put_u64(m, opts->valid_before)) != 0) + (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) + return r; + + /* Simple integer options */ + if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0) return r; /* tunnel number can be negative to indicate "unset" */ @@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) if ((opts = calloc(1, sizeof(*opts))) == NULL) return SSH_ERR_ALLOC_FAIL; + /* Flag options */ #define OPT_FLAG(x) \ do { \ if ((r = sshbuf_get_u8(m, &f)) != 0) \ @@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) OPT_FLAG(permit_user_rc); OPT_FLAG(restricted); OPT_FLAG(cert_authority); + OPT_FLAG(no_require_user_presence); #undef OPT_FLAG + /* Simple integer options */ if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) goto out; |