upstream: Remove the -x option currently used for
FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
This commit is contained in:
parent
ef65e7dbaa
commit
3093d12ff8
39
ssh-keygen.1
39
ssh-keygen.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -48,10 +48,10 @@
|
|||
.Op Fl C Ar comment
|
||||
.Op Fl f Ar output_keyfile
|
||||
.Op Fl m Ar format
|
||||
.Op Fl O Ar option
|
||||
.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl w Ar provider
|
||||
.Op Fl x Ar flags
|
||||
.Nm ssh-keygen
|
||||
.Fl p
|
||||
.Op Fl f Ar keyfile
|
||||
|
@ -453,7 +453,28 @@ listed in the
|
|||
.Sx MODULI GENERATION
|
||||
section may be specified.
|
||||
.Pp
|
||||
This option may be specified multiple times.
|
||||
When generating a key that will be hosted on a FIDO authenticator, this
|
||||
flag may be used to specify key-specific options.
|
||||
Two FIDO authenticator options are supported at present:
|
||||
.Pp
|
||||
.Cm no-touch-required
|
||||
indicates that the generated private key should not require touch
|
||||
events (user presence) when making signatures.
|
||||
Note that
|
||||
.Xr sshd 8
|
||||
will refuse such signatures by default, unless overridden via
|
||||
an authorized_keys option.
|
||||
.Pp
|
||||
.Cm resident
|
||||
indicates that the key should be stored on the FIDO authenticator itself.
|
||||
Resident keys may be supported on FIDO2 tokens and typically require that
|
||||
a PIN be set on the token prior to generation.
|
||||
Resident keys may be loaded off the token using
|
||||
.Xr ssh-add 1 .
|
||||
.Pp
|
||||
The
|
||||
.Fl O
|
||||
option may be specified multiple times.
|
||||
.It Fl P Ar passphrase
|
||||
Provides the (old) passphrase.
|
||||
.It Fl p
|
||||
|
@ -573,18 +594,6 @@ The maximum is 3.
|
|||
Specifies a path to a library that will be used when creating
|
||||
FIDO authenticator-hosted keys, overriding the default of using
|
||||
the internal USB HID support.
|
||||
.It Fl x Ar flags
|
||||
Specifies the authenticator flags to use when enrolling an authenticator-hosted
|
||||
key.
|
||||
Flags may be specified by name or directly as a hexadecimal value.
|
||||
Only one named flag is supported at present:
|
||||
.Cm no-touch-required ,
|
||||
which indicates that the generated private key should not require touch
|
||||
events (user presence) when making signatures.
|
||||
Note that
|
||||
.Xr sshd 8
|
||||
will refuse such signatures by default, unless overridden via
|
||||
an authorized_keys option.
|
||||
.It Fl Y Cm check-novalidate
|
||||
Checks that a signature generated using
|
||||
.Nm
|
||||
|
|
45
ssh-keygen.c
45
ssh-keygen.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -2932,7 +2932,7 @@ main(int argc, char **argv)
|
|||
int prefer_agent = 0, convert_to = 0, convert_from = 0;
|
||||
int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
|
||||
int do_gen_candidates = 0, do_screen_candidates = 0;
|
||||
unsigned long long ull, cert_serial = 0;
|
||||
unsigned long long cert_serial = 0;
|
||||
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
|
||||
size_t i, nopts = 0;
|
||||
u_int32_t bits = 0;
|
||||
|
@ -2965,10 +2965,10 @@ main(int argc, char **argv)
|
|||
|
||||
sk_provider = getenv("SSH_SK_PROVIDER");
|
||||
|
||||
/* Remaining characters: dGjJKSTW */
|
||||
/* Remaining characters: dGjJKSTWx */
|
||||
while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy"
|
||||
"C:D:E:F:I:M:N:O:P:R:V:Y:Z:"
|
||||
"a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) {
|
||||
"a:b:f:g:m:n:r:s:t:w:z:")) != -1) {
|
||||
switch (opt) {
|
||||
case 'A':
|
||||
gen_all_hostkeys = 1;
|
||||
|
@ -3130,25 +3130,6 @@ main(int argc, char **argv)
|
|||
case 'w':
|
||||
sk_provider = optarg;
|
||||
break;
|
||||
case 'x':
|
||||
if (*optarg == '\0')
|
||||
fatal("Missing security key flags");
|
||||
if (strcasecmp(optarg, "no-touch-required") == 0)
|
||||
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
|
||||
else if (strcasecmp(optarg, "resident") == 0)
|
||||
sk_flags |= SSH_SK_RESIDENT_KEY;
|
||||
else {
|
||||
ull = strtoull(optarg, &ep, 0);
|
||||
if (*ep != '\0')
|
||||
fatal("Security key flags \"%s\" is "
|
||||
"not a number", optarg);
|
||||
if (ull > 0xff) {
|
||||
fatal("Invalid security key "
|
||||
"flags 0x%llx", ull);
|
||||
}
|
||||
sk_flags = (uint8_t)ull;
|
||||
}
|
||||
break;
|
||||
case 'z':
|
||||
errno = 0;
|
||||
if (*optarg == '+') {
|
||||
|
@ -3361,6 +3342,20 @@ main(int argc, char **argv)
|
|||
switch (type) {
|
||||
case KEY_ECDSA_SK:
|
||||
case KEY_ED25519_SK:
|
||||
for (i = 0; i < nopts; i++) {
|
||||
if (strcasecmp(opts[i], "no-touch-required") == 0) {
|
||||
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
|
||||
} else if (strcasecmp(opts[i], "resident") == 0) {
|
||||
sk_flags |= SSH_SK_RESIDENT_KEY;
|
||||
} else {
|
||||
fatal("Option \"%s\" is unsupported for "
|
||||
"FIDO authenticator enrollment", opts[i]);
|
||||
}
|
||||
}
|
||||
if (!quiet) {
|
||||
printf("You may need to touch your security key "
|
||||
"to authorize key generation.\n");
|
||||
}
|
||||
passphrase1 = NULL;
|
||||
for (i = 0 ; i < 3; i++) {
|
||||
if (!quiet) {
|
||||
|
@ -3375,9 +3370,13 @@ main(int argc, char **argv)
|
|||
break;
|
||||
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
|
||||
exit(1); /* error message already printed */
|
||||
if (passphrase1 != NULL)
|
||||
freezero(passphrase1, strlen(passphrase1));
|
||||
passphrase1 = read_passphrase("Enter PIN for security "
|
||||
"key: ", RP_ALLOW_STDIN);
|
||||
}
|
||||
if (passphrase1 != NULL)
|
||||
freezero(passphrase1, strlen(passphrase1));
|
||||
if (i > 3)
|
||||
fatal("Too many incorrect PINs");
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue