upstream: add a "no-touch-required" option for authorized_keys and

a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
author: djm@openbsd.org <djm@openbsd.org> 2019-11-25 00:54:23 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-25 12:23:40 +1100
commit: 2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree: b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /monitor.c
parent: 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
download: openssh-git-2e71263b80fec7ad977e098004fef7d122169d40.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index 9b171c44..d4be7409 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.203 2019/11/25 00:52:46 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.204 2019/11/25 00:54:23 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1440,7 +1440,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 
 	if (ret == 0 && key_blobtype == MM_USERKEY && sig_details != NULL) {
 		req_presence = (options.pubkey_auth_options &
-		    PUBKEYAUTH_TOUCH_REQUIRED);
+		    PUBKEYAUTH_TOUCH_REQUIRED) ||
+		    !key_opts->no_require_user_presence;
 		if (req_presence &&
 		    (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) {
 			error("public key %s %s signature for %s%s from %.128s "
author	djm@openbsd.org <djm@openbsd.org>	2019-11-25 00:54:23 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-25 12:23:40 +1100
commit	2e71263b80fec7ad977e098004fef7d122169d40 (patch)
tree	b4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /monitor.c
parent	0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
download	openssh-git-2e71263b80fec7ad977e098004fef7d122169d40.tar.gz