diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:52:46 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:23:40 +1100 |
| commit | 0fddf2967ac51d518e300408a0d7e6adf4cd2634 (patch) | |
| tree | d7fe4a4f7cd92c565a765e21b7cb19b9c7544d29 /servconf.c | |
| parent | b7e74ea072919b31391bc0f5ff653f80b9f5e84f (diff) | |
| download | openssh-git-0fddf2967ac51d518e300408a0d7e6adf4cd2634.tar.gz | |
upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 33 |
1 files changed, 31 insertions, 2 deletions
@@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.353 2019/10/31 21:17:49 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -118,6 +118,7 @@ initialize_server_options(ServerOptions *options) options->hostbased_key_types = NULL; options->hostkeyalgorithms = NULL; options->pubkey_authentication = -1; + options->pubkey_auth_options = -1; options->pubkey_key_types = NULL; options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; @@ -341,6 +342,8 @@ fill_default_server_options(ServerOptions *options) options->hostbased_uses_name_from_packet_only = 0; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; + if (options->pubkey_auth_options == -1) + options->pubkey_auth_options = 0; if (options->kerberos_authentication == -1) options->kerberos_authentication = 0; if (options->kerberos_or_local_passwd == -1) @@ -509,7 +512,7 @@ typedef enum { sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, - sExposeAuthInfo, sRDomain, + sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -551,6 +554,7 @@ static struct { { "rsaauthentication", sDeprecated, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, + { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, @@ -1468,6 +1472,24 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->pubkey_key_types; goto parse_keytypes; + case sPubkeyAuthOptions: + intptr = &options->pubkey_auth_options; + value = 0; + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (strcasecmp(arg, "none") == 0) + continue; + if (strcasecmp(arg, "touch-required") == 0) + value |= PUBKEYAUTH_TOUCH_REQUIRED; + else { + fatal("%s line %d: unsupported " + "PubkeyAuthOptions option %s", + filename, linenum, arg); + } + } + if (*activep && *intptr == -1) + *intptr = value; + break; + case sKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; @@ -2290,6 +2312,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(pubkey_auth_options); M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(hostbased_uses_name_from_packet_only); @@ -2711,4 +2734,10 @@ dump_config(ServerOptions *o) o->permit_user_env_whitelist); } + printf("pubkeyauthoptions"); + if (o->pubkey_auth_options == 0) + printf(" none"); + if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED) + printf(" touch-required"); + printf("\n"); } |