the error to determine whether a PIN is required and prompt only if
necessary. from Corinna Vinschen
OpenBSD-Commit-ID: dd6be6a0b7148608e834ee737c3479b3270b00dd
ssh-askpass will be used to request the PIN at authentication time.
From Pedro Martelletto, ok djm
OpenBSD-Commit-ID: de8189fcd35b45f632484864523c1655550e2950
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
ok markus@
OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.
Extract hostkey from these blobs.
ok markus@
OpenBSD-Commit-ID: 81c064255634c1109477dc65c3e983581d336df8
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: 84a7fb81106c2d609a6ac17469436df16d196319
record session ID/hostkey/forwarding status for each active socket.
Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.
ok markus@
OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
Key constraints parsing code previously existed in both the "add regular
key" and "add smartcard key" path. This unifies them but also introduces
more consistency checking: duplicated constraints and constraints that
are nonsensical for a particular situation (e.g. FIDO provider for a
smartcard key) are now banned.
ok markus@
OpenBSD-Commit-ID: 511cb1b1c021ee1d51a4c2d649b937445de7983c
Allow confirm_key() to accept an additional reason suffix
Factor publickey userauth parsing out into its own function and allow
it to optionally return things it parsed out of the message to its
caller.
feedback/ok markus@
OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
also clear socket entries that are being marked as unused.
spinkle in some debug2() spam to make it easier to watch an agent
do its thing.
ok markus
OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
On platforms where sizeof(int) != sizeof(long), convtime could accept values
>MAX_INT which subsequently truncate when stored in an int during config
parsing. bz#3250, ok djm@
OpenBSD-Commit-ID: 8fc932683d6b4660d52f50911d62bd6639c5db31
stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these to redirect.
ok markus@
OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
keys.
When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently pubkey authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.
ok markus@
OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.
ok deraadt@ djm@
OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
avoids malicious client from being able to cause agent to load arbitrary
libraries into ssh-sk-helper.
reported by puck AT puckipedia.com; ok markus
OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.
based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church
feedback and ok markus@
OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.
OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
dtucker@openbsd.org
jmc@openbsd.org
djm@openbsd.org
jsg@openbsd.org
Damien Miller
markus@openbsd.org
naddy@openbsd.org