diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-25 00:55:58 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-25 12:25:30 +1100 |
commit | daeaf4136927c2a82af1399022103d67ff03f74a (patch) | |
tree | ae36ea4af1bd3fcc57813bfa71eca4cceef0efe9 /ssh-keygen.c | |
parent | 2e71263b80fec7ad977e098004fef7d122169d40 (diff) | |
download | openssh-git-daeaf4136927c2a82af1399022103d67ff03f74a.tar.gz |
upstream: allow "ssh-keygen -x no-touch-required" when generating a
security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.
feedback deraadt; ok markus@
OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 16d196fc..e939c5b5 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2810,6 +2810,7 @@ main(int argc, char **argv) unsigned long long ull, cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL; u_int32_t bits = 0; + uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; FILE *f; const char *errstr; int log_level = SYSLOG_LEVEL_INFO; @@ -2822,9 +2823,6 @@ main(int argc, char **argv) unsigned long start_lineno = 0, lines_to_process = 0; BIGNUM *start = NULL; #endif -#ifdef ENABLE_SK - uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; -#endif extern int optind; extern char *optarg; @@ -3015,15 +3013,19 @@ main(int argc, char **argv) case 'x': if (*optarg == '\0') fatal("Missing security key flags"); - ull = strtoull(optarg, &ep, 0); - if (*ep != '\0') - fatal("Security key flags \"%s\" is not a " - "number", optarg); - if (ull > 0xff) - fatal("Invalid security key flags 0x%llx", ull); -#ifdef ENABLE_SK - sk_flags = (uint8_t)ull; -#endif + if (strcasecmp(optarg, "no-touch-required") == 0) + sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; + else { + ull = strtoull(optarg, &ep, 0); + if (*ep != '\0') + fatal("Security key flags \"%s\" is " + "not a number", optarg); + if (ull > 0xff) { + fatal("Invalid security key " + "flags 0x%llx", ull); + } + sk_flags = (uint8_t)ull; + } break; case 'z': errno = 0; |