[openssh-commits] [openssh] 02/02: upstream: ssh-agent implemented an all-or-nothing allow-list of

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Nov 7 10:49:18 AEDT 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 82662d562cf54829df8a941cdfb2fd307e1d9a90
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Nov 6 22:51:26 2024 +0000

    upstream: ssh-agent implemented an all-or-nothing allow-list of
    
    FIDO application IDs for security key-backed keys, to prevent web key handles
    from being used remotely as this would likely lead to unpleasant surprises.
    By default, only application IDs that start with "ssh:*" are allowed.
    
    This adds a -Owebsafe-allow=... argument that can override the default
    list with a more or less restrictive one. The default remains unchanged.
    
    ok markus@
    
    OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
---
 ssh-agent.1 | 28 ++++++++++++++++++++--------
 ssh-agent.c | 19 ++++++++++++++++---
 2 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/ssh-agent.1 b/ssh-agent.1
index e5f9b0e3..2f5b091e 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.80 2024/10/24 03:15:47 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.81 2024/11/06 22:51:26 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo at cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2024 $
+.Dd $Mdocdate: November 6 2024 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -107,10 +107,11 @@ environment variable).
 .It Fl O Ar option
 Specify an option when starting
 .Nm .
-Currently two options are supported:
-.Cm allow-remote-pkcs11
+The supported options are:
+.Cm allow-remote-pkcs11 ,
+.Cm no-restrict-websafe
 and
-.Cm no-restrict-websafe .
+.Cm websafe-allow .
 .Pp
 The
 .Cm allow-remote-pkcs11
@@ -143,6 +144,16 @@ user authentication request or a
 signature.
 The default behaviour prevents forwarded access to a FIDO key from also
 implicitly forwarding the ability to authenticate to websites.
+.Pp
+Alternately the
+.Cm websafe-allow
+option allows specifying a pattern-list of key application strings to
+replace the default application allow-list, for example:
+.Dq websafe-allow=ssh:*,example.org,*.example.com
+.Pp
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
 .It Fl P Ar allowed_providers
 Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
 authenticator middleware shared libraries that may be used with the
@@ -152,11 +163,12 @@ or
 options to
 .Xr ssh-add 1 .
 Libraries that do not match the pattern list will be refused.
-See PATTERNS in
-.Xr ssh_config 5
-for a description of pattern-list syntax.
 The default list is
 .Dq usr/lib*/*,/usr/local/lib*/* .
+.Pp
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
 .It Fl s
 Generate Bourne shell commands on
 .Dv stdout .
diff --git a/ssh-agent.c b/ssh-agent.c
index 55f3a852..96c25b9d 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.308 2024/10/24 03:15:47 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.309 2024/11/06 22:51:26 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -94,6 +94,9 @@
 #ifndef DEFAULT_ALLOWED_PROVIDERS
 # define DEFAULT_ALLOWED_PROVIDERS "/usr/lib*/*,/usr/local/lib*/*"
 #endif
+#ifndef DEFAULT_WEBSAFE_ALLOWLIST
+# define DEFAULT_WEBSAFE_ALLOWLIST "ssh:*"
+#endif
 
 /* Maximum accepted message length */
 #define AGENT_MAX_LEN		(256*1024)
@@ -198,6 +201,7 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
 
 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
 static int restrict_websafe = 1;
+static char *websafe_allowlist;
 
 static void
 close_socket(SocketEntry *e)
@@ -925,7 +929,8 @@ process_sign_request2(SocketEntry *e)
 	}
 	if (sshkey_is_sk(id->key)) {
 		if (restrict_websafe &&
-		    strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+		    match_pattern_list(id->key->sk_application,
+		    websafe_allowlist, 0) != 1 &&
 		    !check_websafe_message_contents(key, data)) {
 			/* error already logged */
 			goto send;
@@ -2212,6 +2217,7 @@ main(int ac, char **av)
 	int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
 	int sock, ch, result, saved_errno;
 	char *shell, *format, *pidstr, *agentsocket = NULL;
+	const char *ccp;
 #ifdef HAVE_SETRLIMIT
 	struct rlimit rlim;
 #endif
@@ -2264,7 +2270,12 @@ main(int ac, char **av)
 				restrict_websafe = 0;
 			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
 				remote_add_provider = 1;
-			else
+			else if ((ccp = strprefix(optarg,
+			    "websafe-allow=", 0)) != NULL) {
+				if (websafe_allowlist != NULL)
+					fatal("websafe-allow already set");
+				websafe_allowlist = xstrdup(ccp);
+			} else
 				fatal("Unknown -O option");
 			break;
 		case 'P':
@@ -2308,6 +2319,8 @@ main(int ac, char **av)
 
 	if (allowed_providers == NULL)
 		allowed_providers = xstrdup(DEFAULT_ALLOWED_PROVIDERS);
+	if (websafe_allowlist == NULL)
+		websafe_allowlist = xstrdup(DEFAULT_WEBSAFE_ALLOWLIST);
 
 	if (ac == 0 && !c_flag && !s_flag) {
 		shell = getenv("SHELL");

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list