[openssh-commits] [openssh] 04/04: upstream: refuse to add verify-required (PINful) FIDO keys to

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Aug 31 14:34:50 AEST 2020 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 785f0f315bf7ac5909e988bb1ac3e019fb5e1594
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Aug 31 04:33:17 2020 +0000

    upstream: refuse to add verify-required (PINful) FIDO keys to
    
    ssh-agent until the agent supports them properly
    
    OpenBSD-Commit-ID: 125bd55a8df32c87c3ec33c6ebe437673a3d037e
---
 ssh-add.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/ssh-add.c b/ssh-add.c
index 93119747..936dc212 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.156 2020/06/26 05:04:07 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.157 2020/08/31 04:33:17 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -67,6 +67,7 @@
 #include "ssherr.h"
 #include "digest.h"
 #include "ssh-sk.h"
+#include "sk-api.h"
 
 /* argv0 */
 extern char *__progname;
@@ -348,12 +349,20 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag,
 		ssh_free_identitylist(idlist);
 	}
 
-	if (!sshkey_is_sk(private))
-		skprovider = NULL; /* Don't send constraint for other keys */
-	else if (skprovider == NULL) {
-		fprintf(stderr, "Cannot load authenticator-hosted key %s "
-		    "without provider\n", filename);
-		goto out;
+	if (sshkey_is_sk(private)) {
+		if (skprovider == NULL) {
+			fprintf(stderr, "Cannot load FIDO key %s "
+			    "without provider\n", filename);
+			goto out;
+		}
+		if ((private->sk_flags & SSH_SK_USER_VERIFICATION_REQD) != 0) {
+			fprintf(stderr, "FIDO verify-required key %s is not "
+			    "currently supported by ssh-agent\n", filename);
+			goto out;
+		}
+	} else {
+		/* Don't send provider constraint for other keys */
+		skprovider = NULL;
 	}
 
 	if ((r = ssh_add_identity_constrained(agent_fd, private, comment,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list