mirror of git://anongit.mindrot.org/openssh.git
upstream: Disallow remote addition of FIDO/PKCS11 provider
libraries to ssh-agent by default. The old behaviour of allowing remote clients from loading providers can be restored using `ssh-agent -O allow-remote-pkcs11`. Detection of local/remote clients requires a ssh(1) that supports the `session-bind@openssh.com` extension. Forwarding access to a ssh-agent socket using non-OpenSSH tools may circumvent this control. ok markus@ OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
This commit is contained in:
parent
892506b136
commit
1f2731f5d7
26
ssh-agent.1
26
ssh-agent.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.76 2023/07/19 13:56:33 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: October 7 2022 $
|
||||
.Dd $Mdocdate: July 19 2023 $
|
||||
.Dt SSH-AGENT 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -107,9 +107,27 @@ environment variable).
|
|||
.It Fl O Ar option
|
||||
Specify an option when starting
|
||||
.Nm .
|
||||
Currently only one option is supported:
|
||||
Currently two options are supported:
|
||||
.Cm allow-remote-pkcs11
|
||||
and
|
||||
.Cm no-restrict-websafe .
|
||||
This instructs
|
||||
.Pp
|
||||
The
|
||||
.Cm allow-remote-pkcs11
|
||||
option allows clients of a forwarded
|
||||
.Nm
|
||||
to load PKCS#11 or FIDO provider libraries.
|
||||
By default only local clients may perform this operation.
|
||||
Note that signalling that a
|
||||
.Nm
|
||||
client remote is performed by
|
||||
.Xr ssh 1 ,
|
||||
and use of other tools to forward access to the agent socket may circumvent
|
||||
this restriction.
|
||||
.Pp
|
||||
The
|
||||
.Cm no-restrict-websafe ,
|
||||
instructs
|
||||
.Nm
|
||||
to permit signatures using FIDO keys that might be web authentication
|
||||
requests.
|
||||
|
|
21
ssh-agent.c
21
ssh-agent.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-agent.c,v 1.299 2023/07/10 04:51:26 djm Exp $ */
|
||||
/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
|
|||
/* Pattern-list of allowed PKCS#11/Security key paths */
|
||||
static char *allowed_providers;
|
||||
|
||||
/*
|
||||
* Allows PKCS11 providers or SK keys that use non-internal providers to
|
||||
* be added over a remote connection (identified by session-bind@openssh.com).
|
||||
*/
|
||||
static int remote_add_provider;
|
||||
|
||||
/* locking */
|
||||
#define LOCK_SIZE 32
|
||||
#define LOCK_SALT_SIZE 16
|
||||
|
@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
|
|||
if (strcasecmp(sk_provider, "internal") == 0) {
|
||||
debug_f("internal provider");
|
||||
} else {
|
||||
if (e->nsession_ids != 0 && !remote_add_provider) {
|
||||
verbose("failed add of SK provider \"%.100s\": "
|
||||
"remote addition of providers is disabled",
|
||||
sk_provider);
|
||||
goto out;
|
||||
}
|
||||
if (realpath(sk_provider, canonical_provider) == NULL) {
|
||||
verbose("failed provider \"%.100s\": "
|
||||
"realpath: %s", sk_provider,
|
||||
|
@ -1391,6 +1403,11 @@ process_add_smartcard_key(SocketEntry *e)
|
|||
error_f("failed to parse constraints");
|
||||
goto send;
|
||||
}
|
||||
if (e->nsession_ids != 0 && !remote_add_provider) {
|
||||
verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
|
||||
"providers is disabled", provider);
|
||||
goto send;
|
||||
}
|
||||
if (realpath(provider, canonical_provider) == NULL) {
|
||||
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||
provider, strerror(errno));
|
||||
|
@ -2051,6 +2068,8 @@ main(int ac, char **av)
|
|||
case 'O':
|
||||
if (strcmp(optarg, "no-restrict-websafe") == 0)
|
||||
restrict_websafe = 0;
|
||||
else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
|
||||
remote_add_provider = 1;
|
||||
else
|
||||
fatal("Unknown -O option");
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue