upstream: refuse to add verify-required (PINful) FIDO keys to

ssh-agent until the agent supports them properly

OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
This commit is contained in:
djm@openbsd.org 2020-08-31 04:33:17 +00:00 committed by Damien Miller
parent 39e88aeff9
commit 785f0f315b
1 changed files with 16 additions and 7 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-add.c,v 1.156 2020/06/26 05:04:07 djm Exp $ */
/* $OpenBSD: ssh-add.c,v 1.157 2020/08/31 04:33:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -67,6 +67,7 @@
#include "ssherr.h"
#include "digest.h"
#include "ssh-sk.h"
#include "sk-api.h"
/* argv0 */
extern char *__progname;
@ -348,12 +349,20 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag,
ssh_free_identitylist(idlist);
}
if (!sshkey_is_sk(private))
skprovider = NULL; /* Don't send constraint for other keys */
else if (skprovider == NULL) {
fprintf(stderr, "Cannot load authenticator-hosted key %s "
"without provider\n", filename);
goto out;
if (sshkey_is_sk(private)) {
if (skprovider == NULL) {
fprintf(stderr, "Cannot load FIDO key %s "
"without provider\n", filename);
goto out;
}
if ((private->sk_flags & SSH_SK_USER_VERIFICATION_REQD) != 0) {
fprintf(stderr, "FIDO verify-required key %s is not "
"currently supported by ssh-agent\n", filename);
goto out;
}
} else {
/* Don't send provider constraint for other keys */
skprovider = NULL;
}
if ((r = ssh_add_identity_constrained(agent_fd, private, comment,