[openssh-commits] [openssh] branch master updated (eaf8672b -> 0caff053)

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Aug 27 11:28:42 AEST 2020 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

      from  eaf8672b  Remove check for 'ent' command.
       new  e9c20028  upstream: let the "Confirm user presence for key ..." ssh-askpass
       new  d0a195c8  upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
       new  1196d7f4  upstream: ssh-keyscan(1): simplify conloop() with timercmp(3),
       new  9b8ad938  upstream: support for user-verified FIDO keys
       new  801c9f09  upstream: support for requiring user verified FIDO keys in sshd
       new  642e06d0  upstream: major rework of FIDO token selection logic
       new  b649b3da  upstream: preserve verify-required for resident FIDO keys
       new  0caff053  upstream: Request PIN ahead of time for certain FIDO actions

The 8 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 0caff05350bd5fc635674c9e051a0322faba5ae3
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:08:45 2020 +0000

    upstream: Request PIN ahead of time for certain FIDO actions
    
    When we know that a particular action will require a PIN, such as
    downloading resident keys or generating a verify-required key, request
    the PIN before attempting it.
    
    joint work with Pedro Martelletto; ok markus@
    
    OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727

commit b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:08:19 2020 +0000

    upstream: preserve verify-required for resident FIDO keys
    
    When downloading a resident, verify-required key from a FIDO token,
    preserve the verify-required in the private key that is written to
    disk. Previously we weren't doing that because of lack of support
    in the middleware API.
    
    from Pedro Martelletto; ok markus@ and myself
    
    OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517

commit 642e06d0df983fa2af85126cf4b23440bb2985bf
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:07:51 2020 +0000

    upstream: major rework of FIDO token selection logic
    
    When PINs are in use and multiple FIDO tokens are attached to a host, we
    cannot just blast requests at all attached tokens with the PIN specified
    as this will cause the per-token PIN failure counter to increment. If
    this retry counter hits the token's limit (usually 3 attempts), then the
    token will lock itself and render all (web and SSH) of its keys invalid.
    We don't want this.
    
    So this reworks the key selection logic for the specific case of
    multiple keys being attached. When multiple keys are attached and the
    operation requires a PIN, then the user must touch the key that they
    wish to use first in order to identify it.
    
    This may require multiple touches, but only if there are multiple keys
    attached AND (usually) the operation requires a PIN. The usual case of a
    single key attached should be unaffected.
    
    Work by Pedro Martelletto; ok myself and markus@
    
    OpenBSD-Commit-ID: 637d3049ced61b7a9ee796914bbc4843d999a864

commit 801c9f095e6d8b7b91aefd98f5001c652ea13488
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:07:09 2020 +0000

    upstream: support for requiring user verified FIDO keys in sshd
    
    This adds a "verify-required" authorized_keys flag and a corresponding
    sshd_config option that tells sshd to require that FIDO keys verify the
    user identity before completing the signing/authentication attempt.
    Whether or not user verification was performed is already baked into the
    signature made on the FIDO token, so this is just plumbing that flag
    through and adding ways to require it.
    
    feedback and ok markus@
    
    OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6

commit 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:06:18 2020 +0000

    upstream: support for user-verified FIDO keys
    
    FIDO2 supports a notion of "user verification" where the user is
    required to demonstrate their identity to the token before particular
    operations (e.g. signing). Typically this is done by authenticating
    themselves using a PIN that has been set on the token.
    
    This adds support for generating and using user verified keys where
    the verification happens via PIN (other options might be added in the
    future, but none are in common use now). Practically, this adds
    another key generation option "verify-required" that yields a key that
    requires a PIN before each authentication.
    
    feedback markus@ and Pedro Martelletto; ok markus@
    
    OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15

commit 1196d7f49d4fbc90f37e550de3056561613b0960
Author: cheloha at openbsd.org <cheloha at openbsd.org>
Date:   Wed Aug 12 01:23:45 2020 +0000

    upstream: ssh-keyscan(1): simplify conloop() with timercmp(3),
    
    timersub(3); ok djm@
    
    OpenBSD-Commit-ID: a102acb544f840d33ad73d40088adab4a687fa27

commit d0a195c89e26766d3eb8f3e4e2a00ebc98b57795
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Aug 11 09:49:57 2020 +0000

    upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
    
    limit for keys in addition to its current flag options. Time-limited keys
    will automatically be removed from ssh-agent after their expiry time has
    passed; ok markus@
    
    OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94

commit e9c2002891a7b8e66f4140557a982978f372e5a3
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Aug 11 09:45:54 2020 +0000

    upstream: let the "Confirm user presence for key ..." ssh-askpass
    
    notification respect $SSH_ASKPASS_REQUIRE; ok markus@
    
    OpenBSD-Commit-ID: 7c1a616b348779bda3b9ad46bf592741f8e206c1

Summary of changes:
 auth-options.c |  20 +-
 auth-options.h |   4 +-
 auth.c         |   9 +-
 auth2-pubkey.c |  18 +-
 krl.c          |   7 +-
 monitor.c      |  19 +-
 monitor_wrap.c |   4 +-
 monitor_wrap.h |   5 +-
 readconf.c     |  85 ++++++--
 readconf.h     |   3 +-
 readpass.c     |  23 ++-
 servconf.c     |   6 +-
 servconf.h     |   5 +-
 sk-api.h       |   5 +-
 sk-usbhid.c    | 600 +++++++++++++++++++++++++++++++++------------------------
 ssh-agent.c    |   5 +-
 ssh-keygen.1   |  24 ++-
 ssh-keygen.c   |  96 +++++----
 ssh-keyscan.c  |  18 +-
 ssh-keysign.c  |   4 +-
 ssh-sk.c       |   5 +-
 ssh_api.c      |  10 +-
 ssh_config.5   |  23 ++-
 sshconnect.c   |   5 +-
 sshconnect2.c  |  37 ++--
 sshd.8         |  11 +-
 sshd.c         |   8 +-
 sshd_config.5  |  23 ++-
 sshkey.c       |  20 +-
 sshkey.h       |  11 +-
 sshsig.c       |  16 +-
 sshsig.h       |   8 +-
 32 files changed, 710 insertions(+), 427 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list