upstream: allow "ssh-keygen -x no-touch-required" when generating a

security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.

feedback deraadt; ok markus@

OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
This commit is contained in:
djm@openbsd.org 2019-11-25 00:55:58 +00:00 committed by Damien Miller
parent 2e71263b80
commit daeaf41369
2 changed files with 25 additions and 14 deletions

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.178 2019/11/25 00:55:58 djm Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -679,6 +679,15 @@ internal support for USB HID keys.
.It Fl x Ar flags .It Fl x Ar flags
Specifies the security key flags to use when enrolling a security key-hosted Specifies the security key flags to use when enrolling a security key-hosted
key. key.
Flags may be specified by name or directly as a hexadecimal value.
Only one named flag is supported at present:
.Cm no-touch-required ,
which indicates that the generated private key should not require touch
events (user presence) when making signatures.
Note that
.Xr sshd 8
will refuse such signatures by default, unless overridden via
an authorized_keys option.
.It Fl y .It Fl y
This option will read a private This option will read a private
OpenSSH format file and print an OpenSSH public key to stdout. OpenSSH format file and print an OpenSSH public key to stdout.

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2810,6 +2810,7 @@ main(int argc, char **argv)
unsigned long long ull, cert_serial = 0; unsigned long long ull, cert_serial = 0;
char *identity_comment = NULL, *ca_key_path = NULL; char *identity_comment = NULL, *ca_key_path = NULL;
u_int32_t bits = 0; u_int32_t bits = 0;
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
FILE *f; FILE *f;
const char *errstr; const char *errstr;
int log_level = SYSLOG_LEVEL_INFO; int log_level = SYSLOG_LEVEL_INFO;
@ -2822,9 +2823,6 @@ main(int argc, char **argv)
unsigned long start_lineno = 0, lines_to_process = 0; unsigned long start_lineno = 0, lines_to_process = 0;
BIGNUM *start = NULL; BIGNUM *start = NULL;
#endif #endif
#ifdef ENABLE_SK
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
#endif
extern int optind; extern int optind;
extern char *optarg; extern char *optarg;
@ -3015,15 +3013,19 @@ main(int argc, char **argv)
case 'x': case 'x':
if (*optarg == '\0') if (*optarg == '\0')
fatal("Missing security key flags"); fatal("Missing security key flags");
ull = strtoull(optarg, &ep, 0); if (strcasecmp(optarg, "no-touch-required") == 0)
if (*ep != '\0') sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
fatal("Security key flags \"%s\" is not a " else {
"number", optarg); ull = strtoull(optarg, &ep, 0);
if (ull > 0xff) if (*ep != '\0')
fatal("Invalid security key flags 0x%llx", ull); fatal("Security key flags \"%s\" is "
#ifdef ENABLE_SK "not a number", optarg);
sk_flags = (uint8_t)ull; if (ull > 0xff) {
#endif fatal("Invalid security key "
"flags 0x%llx", ull);
}
sk_flags = (uint8_t)ull;
}
break; break;
case 'z': case 'z':
errno = 0; errno = 0;