upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e

auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.98 2020/01/23 07:10:22 dtucker Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -231,7 +231,8 @@ userauth_pubkey(struct ssh *ssh)
 			    SSH_SK_USER_PRESENCE_REQD) == 0) {
 				error("public key %s signature for %s%s from "
 				    "%.128s port %d rejected: user presence "
-				    "(key touch) requirement not met ", key_s,
+				    "(authenticator touch) requirement "
+				    "not met ", key_s,
 				    authctxt->valid ? "" : "invalid user ",
 				    authctxt->user, ssh_remote_ipaddr(ssh),
 				    ssh_remote_port(ssh));

monitor.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.208 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1445,8 +1445,9 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 		if (req_presence &&
 		    (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) {
 			error("public key %s %s signature for %s%s from %.128s "
-			    "port %d rejected: user presence (key touch) "
+			    "port %d rejected: user presence "
-			    "requirement not met ", sshkey_type(key), fp,
+			    "(authenticator touch) requirement not met ",
+			    sshkey_type(key), fp,
 			    authctxt->valid ? "" : "invalid user ",
 			    authctxt->user, ssh_remote_ipaddr(ssh),
 			    ssh_remote_port(ssh));

ssh-add.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.151 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.152 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -315,8 +315,8 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag,
 	if (!sshkey_is_sk(private))
 		skprovider = NULL; /* Don't send constraint for other keys */
 	else if (skprovider == NULL) {
-		fprintf(stderr, "Cannot load security key %s without "
+		fprintf(stderr, "Cannot load authenticator-hosted key %s "
-		    "provider\n", filename);
+		    "without provider\n", filename);
 		goto out;
 	}
 
@@ -546,7 +546,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag)
 	int r, ok = 0;
 	char *fp;
 
-	pass = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN);
+	pass = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
 	if ((r = sshsk_load_resident(skprovider, NULL, pass,
 	    &keys, &nkeys)) != 0) {
 		error("Unable to load resident keys: %s", ssh_err(r));

ssh-agent.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.254 2020/01/25 00:06:48 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -510,8 +510,8 @@ process_add_identity(SocketEntry *e)
 	}
 	if (sk_provider != NULL) {
 		if (!sshkey_is_sk(k)) {
-			error("Cannot add provider: %s is not a security key",
+			error("Cannot add provider: %s is not an "
-			    sshkey_type(k));
+			    "authenticator-hosted key", sshkey_type(k));
 			free(sk_provider);
 			goto send;
 		}

ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.396 2020/02/04 09:58:04 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.397 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
 	if (skprovider == NULL)
 		fatal("Cannot download keys without provider");
 
-	pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN);
+	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
 	if ((r = sshsk_load_resident(skprovider, device, pin,
 	    &keys, &nkeys)) != 0) {
 		freezero(pin, strlen(pin));
@@ -3582,7 +3582,7 @@ main(int argc, char **argv)
 			}
 		}
 		if (!quiet) {
-			printf("You may need to touch your security key "
+			printf("You may need to touch your authenticator "
 			    "to authorize key generation.\n");
 		}
 		passphrase = NULL;
@@ -3600,8 +3600,8 @@ main(int argc, char **argv)
 				fatal("Key enrollment failed: %s", ssh_err(r));
 			if (passphrase != NULL)
 				freezero(passphrase, strlen(passphrase));
-			passphrase = read_passphrase("Enter PIN for security "
+			passphrase = read_passphrase("Enter PIN for "
-			    "key: ", RP_ALLOW_STDIN);
+			    "authenticator: ", RP_ALLOW_STDIN);
 		}
 		if (passphrase != NULL)
 			freezero(passphrase, strlen(passphrase));

ssh-sk.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.26 2020/01/28 08:01:34 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.27 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -120,39 +120,38 @@ sshsk_open(const char *path)
 		return ret;
 	}
 	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
-		error("Security key provider \"%s\" dlopen failed: %s",
+		error("Provider \"%s\" dlopen failed: %s", path, dlerror());
-		    path, dlerror());
 		goto fail;
 	}
 	if ((ret->sk_api_version = dlsym(ret->dlhandle,
 	    "sk_api_version")) == NULL) {
-		error("Security key provider \"%s\" dlsym(sk_api_version) "
+		error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
-		    "failed: %s", path, dlerror());
+		    path, dlerror());
 		goto fail;
 	}
 	version = ret->sk_api_version();
 	debug("%s: provider %s implements version 0x%08lx", __func__,
 	    ret->path, (u_long)version);
 	if ((version & SSH_SK_VERSION_MAJOR_MASK) != SSH_SK_VERSION_MAJOR) {
-		error("Security key provider \"%s\" implements unsupported "
+		error("Provider \"%s\" implements unsupported "
 		    "version 0x%08lx (supported: 0x%08lx)",
 		    path, (u_long)version, (u_long)SSH_SK_VERSION_MAJOR);
 		goto fail;
 	}
 	if ((ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
-		error("Security key  provider %s dlsym(sk_enroll) "
+		error("Provider %s dlsym(sk_enroll) failed: %s",
-		    "failed: %s", path, dlerror());
+		    path, dlerror());
 		goto fail;
 	}
 	if ((ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
-		error("Security key provider \"%s\" dlsym(sk_sign) failed: %s",
+		error("Provider \"%s\" dlsym(sk_sign) failed: %s",
 		    path, dlerror());
 		goto fail;
 	}
 	if ((ret->sk_load_resident_keys = dlsym(ret->dlhandle,
 	    "sk_load_resident_keys")) == NULL) {
-		error("Security key provider \"%s\" "
+		error("Provider \"%s\" dlsym(sk_load_resident_keys) "
-		    "dlsym(sk_load_resident_keys) failed: %s", path, dlerror());
+		    "failed: %s", path, dlerror());
 		goto fail;
 	}
 	/* success */
@@ -219,7 +218,7 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
 		goto out;
 	}
 	if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
-		error("Security key returned invalid ECDSA key");
+		error("Authenticator returned invalid ECDSA key");
 		r = SSH_ERR_KEY_INVALID_EC_VALUE;
 		goto out;
 	}
@@ -758,8 +757,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
 		goto out;
 	}
 	if ((r = skp->sk_load_resident_keys(pin, opts, &rks, &nrks)) != 0) {
-		error("Security key provider \"%s\" returned failure %d",
+		error("Provider \"%s\" returned failure %d", provider_path, r);
-		    provider_path, r);
 		r = skerr_to_ssherr(r);
 		goto out;
 	}

ssh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.517 2020/01/28 07:24:15 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.518 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1376,7 +1376,7 @@ main(int ac, char **av)
 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
 	    strlen(options.sk_provider) > 1) {
 		if ((cp = getenv(options.sk_provider + 1)) == NULL) {
-			debug("Security key provider %s did not resolve; "
+			debug("Authenticator provider %s did not resolve; "
 			    "disabling", options.sk_provider);
 			free(options.sk_provider);
 			options.sk_provider = NULL;

sshconnect2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.318 2020/01/23 10:24:30 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.319 2020/02/06 22:30:54 naddy Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -613,7 +613,7 @@ format_identity(Identity *id)
 		if ((id->key->flags & SSHKEY_FLAG_EXT) != 0)
 			note = " token";
 		else if (sshkey_is_sk(id->key))
-			note = " security-key";
+			note = " authenticator";
 	}
 	xasprintf(&ret, "%s %s%s%s%s%s%s",
 	    id->filename,
@@ -1487,8 +1487,8 @@ load_identity_file(Identity *id)
 		}
 		if (private != NULL && sshkey_is_sk(private) &&
 		    options.sk_provider == NULL) {
-			debug("key \"%s\" is a security key, but no "
+			debug("key \"%s\" is an authenticator-hosted key, "
-			    "provider specified", id->filename);
+			    "but no provider specified", id->filename);
 			sshkey_free(private);
 			private = NULL;
 			quit = 1;
@@ -1571,7 +1571,7 @@ pubkey_prepare(Authctxt *authctxt)
 			continue;
 		}
 		if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
-			debug("%s: ignoring security key %s as no "
+			debug("%s: ignoring authenticator-hosted key %s as no "
 			    "SecurityKeyProvider has been specified",
 			    __func__, options.identity_files[i]);
 			continue;
@@ -1595,7 +1595,8 @@ pubkey_prepare(Authctxt *authctxt)
 			continue;
 		}
 		if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
-			debug("%s: ignoring security key certificate %s as no "
+			debug("%s: ignoring authenticator-hosted key "
+			    "certificate %s as no "
 			    "SecurityKeyProvider has been specified",
 			    __func__, options.identity_files[i]);
 			continue;