diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:26:12 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:26:12 +0000 |
| commit | e5abe9c12536dd70c239fc106dc89d43e3b89c45 (patch) | |
| tree | 51a6c347f150ccb2318755441734f729d1339217 | |
| parent | af958412e16e8e024cc5350f5d7b62e52a9e15fb (diff) | |
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
| -rw-r--r-- | usr.bin/ssh/ssh_config.5 | 6 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 29 |
2 files changed, 30 insertions, 5 deletions
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index d3e801df0da..09a3cf0354b 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -602,6 +602,8 @@ should only use the authentication identity files configured in the files, even if .Xr ssh-agent 1 +or a +.Cm PKCS11Provider offers more identities. The argument to this keyword must be .Dq yes diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 7b90582d767..006de8a824a 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1353,7 +1353,7 @@ load_identity_file(char *filename) static void pubkey_prepare(Authctxt *authctxt) { - Identity *id; + Identity *id, *id2, *tmp; Idlist agent, files, *preferred; Key *key; AuthenticationConnection *ac; @@ -1365,7 +1365,7 @@ pubkey_prepare(Authctxt *authctxt) preferred = &authctxt->keys; TAILQ_INIT(preferred); /* preferred order of keys */ - /* list of keys stored in the filesystem */ + /* list of keys stored in the filesystem and PKCS#11 */ for (i = 0; i < options.num_identity_files; i++) { key = options.identity_keys[i]; if (key && key->type == KEY_RSA1) @@ -1378,6 +1378,29 @@ pubkey_prepare(Authctxt *authctxt) id->filename = xstrdup(options.identity_files[i]); TAILQ_INSERT_TAIL(&files, id, next); } + /* Prefer PKCS11 keys that are explicitly listed */ + TAILQ_FOREACH_SAFE(id, &files, next, tmp) { + if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) + continue; + found = 0; + TAILQ_FOREACH(id2, &files, next) { + if (id2->key == NULL || + (id2->key->flags & KEY_FLAG_EXT) != 0) + continue; + if (key_equal(id->key, id2->key)) { + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + found = 1; + break; + } + } + /* If IdentitiesOnly set and key not found then don't use it */ + if (!found && options.identities_only) { + TAILQ_REMOVE(&files, id, next); + bzero(id, sizeof(id)); + free(id); + } + } /* list of keys supported by the agent */ if ((ac = ssh_get_authentication_connection())) { for (key = ssh_get_first_identity(ac, &comment, 2); |