summaryrefslogtreecommitdiffstats
path: root/auth-options.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-11-25 00:54:23 +0000
committerDamien Miller <djm@mindrot.org>2019-11-25 12:23:40 +1100
commit2e71263b80fec7ad977e098004fef7d122169d40 (patch)
treeb4eef0768ef7fb69c0acdfad6a9d63762791d6f6 /auth-options.c
parent0fddf2967ac51d518e300408a0d7e6adf4cd2634 (diff)
upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
Diffstat (limited to 'auth-options.c')
-rw-r--r--auth-options.c38
1 files changed, 26 insertions, 12 deletions
diff --git a/auth-options.c b/auth-options.c
index 90b0d7f2..2d200944 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
*
@@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob,
name, sshbuf_len(data));
found = 0;
if ((which & OPTIONS_EXTENSIONS) != 0) {
- if (strcmp(name, "permit-X11-forwarding") == 0) {
+ if (strcmp(name, "no-touch-required") == 0) {
+ opts->no_require_user_presence = 1;
+ found = 1;
+ } else if (strcmp(name, "permit-X11-forwarding") == 0) {
opts->permit_x11_forwarding_flag = 1;
found = 1;
} else if (strcmp(name,
@@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp)
ret->permit_agent_forwarding_flag = r == 1;
} else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) {
ret->permit_x11_forwarding_flag = r == 1;
+ } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) {
+ ret->no_require_user_presence = r != 1; /* NB. flip */
} else if ((r = opt_flag("pty", 1, &opts)) != -1) {
ret->permit_pty_flag = r == 1;
} else if ((r = opt_flag("user-rc", 1, &opts)) != -1) {
@@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary,
goto alloc_fail;
}
- /* Flags are logical-AND (i.e. must be set in both for permission) */
-#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1)
- OPTFLAG(permit_port_forwarding_flag);
- OPTFLAG(permit_agent_forwarding_flag);
- OPTFLAG(permit_x11_forwarding_flag);
- OPTFLAG(permit_pty_flag);
- OPTFLAG(permit_user_rc);
-#undef OPTFLAG
+#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1)
+ /* Permissive flags are logical-AND (i.e. must be set in both) */
+ OPTFLAG_AND(permit_port_forwarding_flag);
+ OPTFLAG_AND(permit_agent_forwarding_flag);
+ OPTFLAG_AND(permit_x11_forwarding_flag);
+ OPTFLAG_AND(permit_pty_flag);
+ OPTFLAG_AND(permit_user_rc);
+ OPTFLAG_AND(no_require_user_presence);
+#undef OPTFLAG_AND
/* Earliest expiry time should win */
if (primary->valid_before != 0)
@@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig)
OPTSCALAR(cert_authority);
OPTSCALAR(force_tun_device);
OPTSCALAR(valid_before);
+ OPTSCALAR(no_require_user_presence);
#undef OPTSCALAR
#define OPTSTRING(x) \
do { \
@@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
{
int r = SSH_ERR_INTERNAL_ERROR;
- /* Flag and simple integer options */
+ /* Flag options */
if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
(r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
(r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
@@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m,
(r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
(r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
(r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
- (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
+ (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0)
+ return r;
+
+ /* Simple integer options */
+ if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0)
return r;
/* tunnel number can be negative to indicate "unset" */
@@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
if ((opts = calloc(1, sizeof(*opts))) == NULL)
return SSH_ERR_ALLOC_FAIL;
+ /* Flag options */
#define OPT_FLAG(x) \
do { \
if ((r = sshbuf_get_u8(m, &f)) != 0) \
@@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp)
OPT_FLAG(permit_user_rc);
OPT_FLAG(restricted);
OPT_FLAG(cert_authority);
+ OPT_FLAG(no_require_user_presence);
#undef OPT_FLAG
+ /* Simple integer options */
if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
goto out;