From 81f7985adc76c9d3a95d80cb3717bcb54f906e79 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Aug 2020 01:07:11 +0000 Subject: support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ --- usr.bin/ssh/auth2-pubkey.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'usr.bin/ssh/auth2-pubkey.c') diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c index c9f6c73ba50..8210f404564 100644 --- a/usr.bin/ssh/auth2-pubkey.c +++ b/usr.bin/ssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.100 2020/08/27 01:07:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -94,7 +94,7 @@ userauth_pubkey(struct ssh *ssh) u_char *pkblob = NULL, *sig = NULL, have_sig; size_t blen, slen; int r, pktype; - int req_presence = 0, authenticated = 0; + int req_presence = 0, req_verify = 0, authenticated = 0; struct sshauthopt *authopts = NULL; struct sshkey_sig_details *sig_details = NULL; @@ -236,6 +236,20 @@ userauth_pubkey(struct ssh *ssh) authenticated = 0; goto done; } + req_verify = (options.pubkey_auth_options & + PUBKEYAUTH_VERIFY_REQUIRED) || + authopts->require_verify; + if (req_verify && (sig_details->sk_flags & + SSH_SK_USER_VERIFICATION_REQD) == 0) { + error("public key %s signature for %s%s from " + "%.128s port %d rejected: user " + "verification requirement not met ", key_s, + authctxt->valid ? "" : "invalid user ", + authctxt->user, ssh_remote_ipaddr(ssh), + ssh_remote_port(ssh)); + authenticated = 0; + goto done; + } } auth2_record_key(authctxt, authenticated, key); } else { -- cgit v1.2.3