summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2020-08-27 01:08:46 +0000
committerDamien Miller <djm@cvs.openbsd.org>2020-08-27 01:08:46 +0000
commit02cf7a0cd5101219146185557dae4b3a836e0f39 (patch)
tree07e0cde73cb1876d4560077fd5f9e6cca64ecea4 /usr.bin/ssh
parent202d1e78abcd5beb689423ad9a285cb758d3576e (diff)
Request PIN ahead of time for certain FIDO actions
When we know that a particular action will require a PIN, such as downloading resident keys or generating a verify-required key, request the PIN before attempting it. joint work with Pedro Martelletto; ok markus@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/ssh-keygen.14
-rw-r--r--usr.bin/ssh/ssh-keygen.c38
2 files changed, 23 insertions, 19 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index 7e0558fe194..e18fcde0187 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.207 2020/08/27 01:08:45 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -382,6 +382,8 @@ The default import format is
Download resident keys from a FIDO authenticator.
Public and private key files will be written to the current directory for
each downloaded key.
+If multiple FIDO authenticators are attached, keys will be downloaded from
+the first touched authenticator.
.It Fl k
Generate a KRL file.
In this mode,
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index c13a72bc65b..7f145c86923 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.417 2020/08/27 01:07:51 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.418 2020/08/27 01:08:45 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2962,20 +2962,17 @@ do_download_sk(const char *skprovider, const char *device)
if (skprovider == NULL)
fatal("Cannot download keys without provider");
- for (i = 0; i < 2; i++) {
- if (i == 1) {
- pin = read_passphrase("Enter PIN for authenticator: ",
- RP_ALLOW_STDIN);
- }
- if ((r = sshsk_load_resident(skprovider, device, pin,
- &keys, &nkeys)) != 0) {
- if (i == 0 && r == SSH_ERR_KEY_WRONG_PASSPHRASE)
- continue;
- if (pin != NULL)
- freezero(pin, strlen(pin));
- error("Unable to load resident keys: %s", ssh_err(r));
- return -1;
- }
+ pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
+ if (!quiet) {
+ printf("You may need to touch your authenticator "
+ "to authorize key download.\n");
+ }
+ if ((r = sshsk_load_resident(skprovider, device, pin,
+ &keys, &nkeys)) != 0) {
+ if (pin != NULL)
+ freezero(pin, strlen(pin));
+ error("Unable to load resident keys: %s", ssh_err(r));
+ return -1;
}
if (nkeys == 0)
logit("No keys to download");
@@ -3584,9 +3581,15 @@ main(int argc, char **argv)
printf("You may need to touch your authenticator "
"to authorize key generation.\n");
}
- passphrase = NULL;
if ((attest = sshbuf_new()) == NULL)
fatal("sshbuf_new failed");
+ if ((sk_flags &
+ (SSH_SK_USER_VERIFICATION_REQD|SSH_SK_RESIDENT_KEY))) {
+ passphrase = read_passphrase("Enter PIN for "
+ "authenticator: ", RP_ALLOW_STDIN);
+ } else {
+ passphrase = NULL;
+ }
for (i = 0 ; ; i++) {
fflush(stdout);
r = sshsk_enroll(type, sk_provider, sk_device,
@@ -3597,9 +3600,8 @@ main(int argc, char **argv)
break;
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
fatal("Key enrollment failed: %s", ssh_err(r));
- else if (i > 0)
+ else if (passphrase != NULL) {
error("PIN incorrect");
- if (passphrase != NULL) {
freezero(passphrase, strlen(passphrase));
passphrase = NULL;
}