upstream: Remove the -x option currently used for

FIDO/U2F-specific key flags. Instead these flags may be specified via -O.

ok markus@

OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
This commit is contained in:
djm@openbsd.org 2019-12-30 09:49:52 +00:00 committed by Damien Miller
parent ef65e7dbaa
commit 3093d12ff8
2 changed files with 46 additions and 38 deletions

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -48,10 +48,10 @@
.Op Fl C Ar comment .Op Fl C Ar comment
.Op Fl f Ar output_keyfile .Op Fl f Ar output_keyfile
.Op Fl m Ar format .Op Fl m Ar format
.Op Fl O Ar option
.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
.Op Fl N Ar new_passphrase .Op Fl N Ar new_passphrase
.Op Fl w Ar provider .Op Fl w Ar provider
.Op Fl x Ar flags
.Nm ssh-keygen .Nm ssh-keygen
.Fl p .Fl p
.Op Fl f Ar keyfile .Op Fl f Ar keyfile
@ -453,7 +453,28 @@ listed in the
.Sx MODULI GENERATION .Sx MODULI GENERATION
section may be specified. section may be specified.
.Pp .Pp
This option may be specified multiple times. When generating a key that will be hosted on a FIDO authenticator, this
flag may be used to specify key-specific options.
Two FIDO authenticator options are supported at present:
.Pp
.Cm no-touch-required
indicates that the generated private key should not require touch
events (user presence) when making signatures.
Note that
.Xr sshd 8
will refuse such signatures by default, unless overridden via
an authorized_keys option.
.Pp
.Cm resident
indicates that the key should be stored on the FIDO authenticator itself.
Resident keys may be supported on FIDO2 tokens and typically require that
a PIN be set on the token prior to generation.
Resident keys may be loaded off the token using
.Xr ssh-add 1 .
.Pp
The
.Fl O
option may be specified multiple times.
.It Fl P Ar passphrase .It Fl P Ar passphrase
Provides the (old) passphrase. Provides the (old) passphrase.
.It Fl p .It Fl p
@ -573,18 +594,6 @@ The maximum is 3.
Specifies a path to a library that will be used when creating Specifies a path to a library that will be used when creating
FIDO authenticator-hosted keys, overriding the default of using FIDO authenticator-hosted keys, overriding the default of using
the internal USB HID support. the internal USB HID support.
.It Fl x Ar flags
Specifies the authenticator flags to use when enrolling an authenticator-hosted
key.
Flags may be specified by name or directly as a hexadecimal value.
Only one named flag is supported at present:
.Cm no-touch-required ,
which indicates that the generated private key should not require touch
events (user presence) when making signatures.
Note that
.Xr sshd 8
will refuse such signatures by default, unless overridden via
an authorized_keys option.
.It Fl Y Cm check-novalidate .It Fl Y Cm check-novalidate
Checks that a signature generated using Checks that a signature generated using
.Nm .Nm

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2932,7 +2932,7 @@ main(int argc, char **argv)
int prefer_agent = 0, convert_to = 0, convert_from = 0; int prefer_agent = 0, convert_to = 0, convert_from = 0;
int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
int do_gen_candidates = 0, do_screen_candidates = 0; int do_gen_candidates = 0, do_screen_candidates = 0;
unsigned long long ull, cert_serial = 0; unsigned long long cert_serial = 0;
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
size_t i, nopts = 0; size_t i, nopts = 0;
u_int32_t bits = 0; u_int32_t bits = 0;
@ -2965,10 +2965,10 @@ main(int argc, char **argv)
sk_provider = getenv("SSH_SK_PROVIDER"); sk_provider = getenv("SSH_SK_PROVIDER");
/* Remaining characters: dGjJKSTW */ /* Remaining characters: dGjJKSTWx */
while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy"
"C:D:E:F:I:M:N:O:P:R:V:Y:Z:" "C:D:E:F:I:M:N:O:P:R:V:Y:Z:"
"a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) { "a:b:f:g:m:n:r:s:t:w:z:")) != -1) {
switch (opt) { switch (opt) {
case 'A': case 'A':
gen_all_hostkeys = 1; gen_all_hostkeys = 1;
@ -3130,25 +3130,6 @@ main(int argc, char **argv)
case 'w': case 'w':
sk_provider = optarg; sk_provider = optarg;
break; break;
case 'x':
if (*optarg == '\0')
fatal("Missing security key flags");
if (strcasecmp(optarg, "no-touch-required") == 0)
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
else if (strcasecmp(optarg, "resident") == 0)
sk_flags |= SSH_SK_RESIDENT_KEY;
else {
ull = strtoull(optarg, &ep, 0);
if (*ep != '\0')
fatal("Security key flags \"%s\" is "
"not a number", optarg);
if (ull > 0xff) {
fatal("Invalid security key "
"flags 0x%llx", ull);
}
sk_flags = (uint8_t)ull;
}
break;
case 'z': case 'z':
errno = 0; errno = 0;
if (*optarg == '+') { if (*optarg == '+') {
@ -3361,6 +3342,20 @@ main(int argc, char **argv)
switch (type) { switch (type) {
case KEY_ECDSA_SK: case KEY_ECDSA_SK:
case KEY_ED25519_SK: case KEY_ED25519_SK:
for (i = 0; i < nopts; i++) {
if (strcasecmp(opts[i], "no-touch-required") == 0) {
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
} else if (strcasecmp(opts[i], "resident") == 0) {
sk_flags |= SSH_SK_RESIDENT_KEY;
} else {
fatal("Option \"%s\" is unsupported for "
"FIDO authenticator enrollment", opts[i]);
}
}
if (!quiet) {
printf("You may need to touch your security key "
"to authorize key generation.\n");
}
passphrase1 = NULL; passphrase1 = NULL;
for (i = 0 ; i < 3; i++) { for (i = 0 ; i < 3; i++) {
if (!quiet) { if (!quiet) {
@ -3375,9 +3370,13 @@ main(int argc, char **argv)
break; break;
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
exit(1); /* error message already printed */ exit(1); /* error message already printed */
if (passphrase1 != NULL)
freezero(passphrase1, strlen(passphrase1));
passphrase1 = read_passphrase("Enter PIN for security " passphrase1 = read_passphrase("Enter PIN for security "
"key: ", RP_ALLOW_STDIN); "key: ", RP_ALLOW_STDIN);
} }
if (passphrase1 != NULL)
freezero(passphrase1, strlen(passphrase1));
if (i > 3) if (i > 3)
fatal("Too many incorrect PINs"); fatal("Too many incorrect PINs");
break; break;