diff options
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 33 |
1 files changed, 31 insertions, 2 deletions
@@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.353 2019/10/31 21:17:49 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -118,6 +118,7 @@ initialize_server_options(ServerOptions *options) options->hostbased_key_types = NULL; options->hostkeyalgorithms = NULL; options->pubkey_authentication = -1; + options->pubkey_auth_options = -1; options->pubkey_key_types = NULL; options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; @@ -341,6 +342,8 @@ fill_default_server_options(ServerOptions *options) options->hostbased_uses_name_from_packet_only = 0; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; + if (options->pubkey_auth_options == -1) + options->pubkey_auth_options = 0; if (options->kerberos_authentication == -1) options->kerberos_authentication = 0; if (options->kerberos_or_local_passwd == -1) @@ -509,7 +512,7 @@ typedef enum { sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, - sExposeAuthInfo, sRDomain, + sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -551,6 +554,7 @@ static struct { { "rsaauthentication", sDeprecated, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, + { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, @@ -1468,6 +1472,24 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->pubkey_key_types; goto parse_keytypes; + case sPubkeyAuthOptions: + intptr = &options->pubkey_auth_options; + value = 0; + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (strcasecmp(arg, "none") == 0) + continue; + if (strcasecmp(arg, "touch-required") == 0) + value |= PUBKEYAUTH_TOUCH_REQUIRED; + else { + fatal("%s line %d: unsupported " + "PubkeyAuthOptions option %s", + filename, linenum, arg); + } + } + if (*activep && *intptr == -1) + *intptr = value; + break; + case sKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; @@ -2290,6 +2312,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(password_authentication); M_CP_INTOPT(gss_authentication); M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(pubkey_auth_options); M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(hostbased_uses_name_from_packet_only); @@ -2711,4 +2734,10 @@ dump_config(ServerOptions *o) o->permit_user_env_whitelist); } + printf("pubkeyauthoptions"); + if (o->pubkey_auth_options == 0) + printf(" none"); + if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED) + printf(" touch-required"); + printf("\n"); } |