diff options
| author | naddy@openbsd.org <naddy@openbsd.org> | 2022-05-31 14:05:12 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2022-06-03 13:38:15 +1000 |
| commit | 6b3fb624675082a1e5aa615d1b8479873d8b5731 (patch) | |
| tree | 9fb02750e5a1fa82002fb26b187ce90d6bb5f9ef /ssh-keygen.c | |
| parent | b7f86ffc301be105bba9a3e0618b6fab3ae379bd (diff) | |
| download | openssh-git-6b3fb624675082a1e5aa615d1b8479873d8b5731.tar.gz | |
upstream: ssh-keygen: implement "verify-required" certificate option.
This was already documented when support for user-verified FIDO
keys was added, but the ssh-keygen(1) code was missing.
ok djm@
OpenBSD-Commit-ID: f660f973391b593fea4b7b25913c9a15c3eb8a06
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index e7600732..35e70a10 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.453 2022/05/31 14:05:12 naddy Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -127,6 +127,7 @@ static u_int64_t cert_valid_to = ~0ULL; #define CERTOPT_PTY (1<<3) #define CERTOPT_USER_RC (1<<4) #define CERTOPT_NO_REQUIRE_USER_PRESENCE (1<<5) +#define CERTOPT_REQUIRE_VERIFY (1<<6) #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) static u_int32_t certflags_flags = CERTOPT_DEFAULT; @@ -1672,6 +1673,8 @@ finalise_cert_exts(void) cert_ext_add("force-command", certflags_command, 1); if (certflags_src_addr != NULL) cert_ext_add("source-address", certflags_src_addr, 1); + if ((certflags_flags & CERTOPT_REQUIRE_VERIFY) != 0) + cert_ext_add("verify-required", NULL, 1); /* extensions */ if ((certflags_flags & CERTOPT_X_FWD) != 0) cert_ext_add("permit-X11-forwarding", NULL, 0); @@ -1993,6 +1996,10 @@ add_cert_option(char *opt) certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE; else if (strcasecmp(opt, "no-touch-required") == 0) certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE; + else if (strcasecmp(opt, "no-verify-required") == 0) + certflags_flags &= ~CERTOPT_REQUIRE_VERIFY; + else if (strcasecmp(opt, "verify-required") == 0) + certflags_flags |= CERTOPT_REQUIRE_VERIFY; else if (strncasecmp(opt, "force-command=", 14) == 0) { val = opt + 14; if (*val == '\0') @@ -2051,6 +2058,9 @@ show_options(struct sshbuf *optbuf, int in_critical) fatal_fr(r, "parse critical"); printf(" %s\n", arg); free(arg); + } else if (in_critical && + strcmp(name, "verify-required") == 0) { + printf("\n"); } else if (sshbuf_len(option) > 0) { hex = sshbuf_dtob16(option); printf(" UNKNOWN OPTION: %s (len %zu)\n", |