summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2024-10-24 03:15:48 +0000
committerDamien Miller <djm@cvs.openbsd.org>2024-10-24 03:15:48 +0000
commit03c418572adb043530b53eac391bc31b50d38e46 (patch)
treecfbf2925aeb4b3795c88abd336d64e2190074403
parent3d7162d0f8db1bc9d3ec5e321c53c59211449aad (diff)
amake ssh-agent drop all keys when it receives SIGUSR1;
let's users zap keys without access to $SSH_AUTH_SOCK ok deraadt@
-rw-r--r--usr.bin/ssh/ssh-agent.18
-rw-r--r--usr.bin/ssh/ssh-agent.c33
2 files changed, 33 insertions, 8 deletions
diff --git a/usr.bin/ssh/ssh-agent.1 b/usr.bin/ssh/ssh-agent.1
index 6815eb834d3..36ba7c6fd96 100644
--- a/usr.bin/ssh/ssh-agent.1
+++ b/usr.bin/ssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.79 2023/08/10 14:37:32 naddy Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.80 2024/10/24 03:15:47 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: August 10 2023 $
+.Dd $Mdocdate: October 24 2024 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -233,6 +233,10 @@ the connection to the agent is forwarded over SSH remote connections
and the result is returned to the requester,
allowing the user access to their identities anywhere in the network
in a secure fashion.
+.Pp
+.Nm
+will delete all keys it has loaded upon receiving
+.Dv SIGUSR1 .
.Sh ENVIRONMENT
.Bl -tag -width "SSH_AGENT_PID"
.It Ev SSH_AGENT_PID
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index dbbaf3192ca..d785466ae1a 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.307 2024/09/24 02:28:17 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.308 2024/10/24 03:15:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -149,7 +149,8 @@ int max_fd = 0;
pid_t parent_pid = -1;
time_t parent_alive_interval = 0;
-sig_atomic_t signalled = 0;
+static sig_atomic_t signalled_exit;
+static sig_atomic_t signalled_keydrop;
/* pid of process for which cleanup_socket is applicable */
pid_t cleanup_pid = 0;
@@ -1008,7 +1009,7 @@ process_remove_identity(SocketEntry *e)
}
static void
-process_remove_all_identities(SocketEntry *e)
+remove_all_identities(void)
{
Identity *id;
@@ -1022,6 +1023,12 @@ process_remove_all_identities(SocketEntry *e)
/* Mark that there are no identities. */
idtab->nentries = 0;
+}
+
+static void
+process_remove_all_identities(SocketEntry *e)
+{
+ remove_all_identities();
/* Send success. */
send_status(e, 1);
@@ -2151,7 +2158,13 @@ cleanup_exit(int i)
static void
cleanup_handler(int sig)
{
- signalled = sig;
+ signalled_exit = sig;
+}
+
+static void
+keydrop_handler(int sig)
+{
+ signalled_keydrop = sig;
}
static void
@@ -2427,21 +2440,29 @@ skip:
ssh_signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);
ssh_signal(SIGHUP, cleanup_handler);
ssh_signal(SIGTERM, cleanup_handler);
+ ssh_signal(SIGUSR1, keydrop_handler);
sigemptyset(&nsigset);
sigaddset(&nsigset, SIGINT);
sigaddset(&nsigset, SIGHUP);
sigaddset(&nsigset, SIGTERM);
+ sigaddset(&nsigset, SIGUSR1);
if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
fatal("%s: pledge: %s", __progname, strerror(errno));
while (1) {
sigprocmask(SIG_BLOCK, &nsigset, &osigset);
- if (signalled != 0) {
- logit("exiting on signal %d", (int)signalled);
+ if (signalled_exit != 0) {
+ logit("exiting on signal %d", (int)signalled_exit);
cleanup_exit(2);
}
+ if (signalled_keydrop) {
+ logit("signal %d received; removing all keys",
+ signalled_keydrop);
+ remove_all_identities();
+ signalled_keydrop = 0;
+ }
ptimeout_init(&timeout);
prepare_poll(&pfd, &npfd, &timeout, maxfds);
result = ppoll(pfd, npfd, ptimeout_get_tsp(&timeout), &osigset);