diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2020-08-31 04:33:18 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2020-08-31 04:33:18 +0000 |
| commit | 46ec8740f0477f7d789e346de554585ec88a076a (patch) | |
| tree | 33af016d4b6dfba7b1ef70e55a10cf2e5fa8adb4 /usr.bin | |
| parent | 4e95f9592d32d3201eec0711bcc9f8026d07d971 (diff) | |
refuse to add verify-required (PINful) FIDO keys to ssh-agent until
the agent supports them properly
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/ssh-add.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index 369045900c8..0ce989f5703 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.156 2020/06/26 05:04:07 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.157 2020/08/31 04:33:17 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -64,6 +64,7 @@ #include "ssherr.h" #include "digest.h" #include "ssh-sk.h" +#include "sk-api.h" /* argv0 */ extern char *__progname; @@ -341,12 +342,20 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, ssh_free_identitylist(idlist); } - if (!sshkey_is_sk(private)) - skprovider = NULL; /* Don't send constraint for other keys */ - else if (skprovider == NULL) { - fprintf(stderr, "Cannot load authenticator-hosted key %s " - "without provider\n", filename); - goto out; + if (sshkey_is_sk(private)) { + if (skprovider == NULL) { + fprintf(stderr, "Cannot load FIDO key %s " + "without provider\n", filename); + goto out; + } + if ((private->sk_flags & SSH_SK_USER_VERIFICATION_REQD) != 0) { + fprintf(stderr, "FIDO verify-required key %s is not " + "currently supported by ssh-agent\n", filename); + goto out; + } + } else { + /* Don't send provider constraint for other keys */ + skprovider = NULL; } if ((r = ssh_add_identity_constrained(agent_fd, private, comment, |