summaryrefslogtreecommitdiff
path: root/ssh-agent.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2022-01-14 03:43:48 +0000
committerDamien Miller <djm@mindrot.org>2022-01-18 10:00:35 +1100
commit39d17e189f8e72c34c722579d8d4e701fa5132da (patch)
tree7395eb133f1c00f89539cf6ddf7a7916f932d0b1 /ssh-agent.c
parent52423f64e13db2bdc31a51b32e999cb1bfcf1263 (diff)
downloadopenssh-git-39d17e189f8e72c34c722579d8d4e701fa5132da.tar.gz
upstream: allow pin-required FIDO keys to be added to ssh-agent(1).
ssh-askpass will be used to request the PIN at authentication time. From Pedro Martelletto, ok djm OpenBSD-Commit-ID: de8189fcd35b45f632484864523c1655550e2950
Diffstat (limited to 'ssh-agent.c')
-rw-r--r--ssh-agent.c41
1 files changed, 35 insertions, 6 deletions
diff --git a/ssh-agent.c b/ssh-agent.c
index 1650f977..03ae2b02 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.286 2022/01/12 03:30:32 dtucker Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.287 2022/01/14 03:43:48 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -724,8 +724,9 @@ process_sign_request2(SocketEntry *e)
u_char *signature = NULL;
size_t slen = 0;
u_int compat = 0, flags;
- int r, ok = -1;
- char *fp = NULL, *user = NULL, *sig_dest = NULL;
+ int r, ok = -1, retried = 0;
+ char *fp = NULL, *pin = NULL, *prompt = NULL;
+ char *user = NULL, *sig_dest = NULL;
const char *fwd_host = NULL, *dest_host = NULL;
struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
struct sshkey *key = NULL, *hostkey = NULL;
@@ -812,7 +813,16 @@ process_sign_request2(SocketEntry *e)
/* error already logged */
goto send;
}
- if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+ if ((id->key->sk_flags & SSH_SK_USER_VERIFICATION_REQD)) {
+ /* XXX include sig_dest */
+ xasprintf(&prompt, "Enter PIN%sfor %s key %s: ",
+ (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) ?
+ " and confirm user presence " : " ",
+ sshkey_type(id->key), fp);
+ pin = read_passphrase(prompt, RP_USE_ASKPASS);
+ free(prompt);
+ prompt = NULL;
+ } else if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
notifier = notify_start(0,
"Confirm user presence for key %s %s%s%s",
sshkey_type(id->key), fp,
@@ -820,10 +830,26 @@ process_sign_request2(SocketEntry *e)
sig_dest == NULL ? "" : sig_dest);
}
}
- /* XXX support PIN required FIDO keys */
+ retry_pin:
if ((r = sshkey_sign(id->key, &signature, &slen,
sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
- id->sk_provider, NULL, compat)) != 0) {
+ id->sk_provider, pin, compat)) != 0) {
+ debug_fr(r, "sshkey_sign");
+ if (pin == NULL && !retried && sshkey_is_sk(id->key) &&
+ r == SSH_ERR_KEY_WRONG_PASSPHRASE) {
+ if (notifier) {
+ notify_complete(notifier, NULL);
+ notifier = NULL;
+ }
+ /* XXX include sig_dest */
+ xasprintf(&prompt, "Enter PIN%sfor %s key %s: ",
+ (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD) ?
+ " and confirm user presence " : " ",
+ sshkey_type(id->key), fp);
+ pin = read_passphrase(prompt, RP_USE_ASKPASS);
+ retried = 1;
+ goto retry_pin;
+ }
error_fr(r, "sshkey_sign");
goto send;
}
@@ -851,6 +877,9 @@ process_sign_request2(SocketEntry *e)
free(signature);
free(sig_dest);
free(user);
+ free(prompt);
+ if (pin != NULL)
+ freezero(pin, strlen(pin));
}
/* shared */
View Lorry Controller Status