| Age | Commit message (Collapse) | Author |
|---|
|
Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.
Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.
Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().
ok markus@
|
|
|
|
a better error message if it's not correct. Prompted by bz#2879,
ok djm@ jmc@
|
|
the touch has been recorded; requested by claudio@ ok markus@
|
|
thingsconnected
|
|
|
|
appending ssh_err(r) manually; ok markus@
|
|
needed to verify the attestation. Previously we were missing the
"authenticator data" that is included in the signature.
spotted by Ian Haken
feedback Pedro Martelletto and Ian Haken; ok markus@
|
|
"ssh-keygen -vyf /path/key"
|
|
When we know that a particular action will require a PIN, such as
downloading resident keys or generating a verify-required key, request
the PIN before attempting it.
joint work with Pedro Martelletto; ok markus@
|
|
When PINs are in use and multiple FIDO tokens are attached to a host, we
cannot just blast requests at all attached tokens with the PIN specified
as this will cause the per-token PIN failure counter to increment. If
this retry counter hits the token's limit (usually 3 attempts), then the
token will lock itself and render all (web and SSH) of its keys invalid.
We don't want this.
So this reworks the key selection logic for the specific case of
multiple keys being attached. When multiple keys are attached and the
operation requires a PIN, then the user must touch the key that they
wish to use first in order to identify it.
This may require multiple touches, but only if there are multiple keys
attached AND (usually) the operation requires a PIN. The usual case of a
single key attached should be unaffected.
Work by Pedro Martelletto; ok myself and markus@
|
|
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
|
|
if the user specified a custom extension then the everything would be
in order except the custom ones. bz3198 ok dtucker markus
|
|
- Reorder parameters list in the first usage() case
- Sentence rewording
ok dtucker@
jmc@ noticed usage() missed -a flag too
|
|
don't leave an empty .ssh directory when it's not needed. Use the same
function to replace the code in ssh-keygen that does the same thing.
bz#3156, ok djm@
|
|
Pedro Martelletto, ok markus@
|
|
|
|
"ssh-keygen -Rf /path". The old behaviour was to remove all rights for
group/other. bz#3146 ok dtucker@
|
|
and save a bunch of redundant code.
Patch from loic AT venez.fr; ok markus@ djm@
|
|
private keys using "ssh-keygen -i"; spotted by Michael Forney
|
|
of old-format key, key comments were not being displayed. Spotted by
loic AT venez.fr, ok dtucker
|
|
regression caused by my recent pubkey loading refactor. Reported by
loic AT venez.fr, ok dtucker@
|
|
revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
|
|
from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html
|
|
until the token has told us that it needs one. Avoids double-prompting on
devices that implement on-device authentication (e.g. a touchscreen PIN
pad on the Trezor Model T). ok dtucker@
|
|
|
|
|
|
a critical option.
|
|
While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.
ok deraadt@ djm@
|
|
intended number of prompts (3) and 2) it would SEGV too many incorrect
PINs were entered; based on patch by Gabriel Kihlman
|
|
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
|
|
|
|
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
|
|
ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to
a useful ssherr.h status code. more detail remains visible via -v
of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.
feedback & ok markus@
|
|
feedback and ok markus@
|
|
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.
based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church
feedback and ok markus@
|
|
emit matched principals one per line to stdout rather than as comma-
separated and with a free-text preamble (easy confusion opportunity)
emit "not found" error to stderr
fix up argument testing for -Y operations and improve error message for
unsupported operations
|
|
algorithm (rsa-sha-512) if not is explicitly specified by the user;
ok markus@
|
|
ok markus@
|
|
use "principals" instead of principal, as allowed_signers lines may list
multiple.
When the signing key is a certificate, emit only principals that match
the certificate principal list.
NB. the command -Y name changes: "find-principal" => "find-principals"
ok markus@
|
|
they make them needlessly more difficult to cut and paste without
error; ok markus@ & dtucker@
|
|
principal associated with a signature from an allowed-signers
file. Work by Sebastian Kinne; ok dtucker@
|
|
comment. This makes copy-paste of fingerprints into ssh easier.
OK djm@
|
|
support; it works just fine and disabling it breaks a few tests.
ok dtucker@
|
|
ok markus@
|
|
operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to
change the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
|
|
"ssh-keygen -K". This will save public/private keys into the
current directory.
This is handy if you move a token between hosts.
feedback & ok markus@
|
|
Instead these flags may be specified via -O.
ok markus@
|
|
Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.
feedback and ok markus@
|
|
Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.
feedback and ok markus@
|
