upstream: Disallow remote addition of FIDO/PKCS11 provider

libraries to ssh-agent by default.

The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.

Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.

ok markus@

OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
This commit is contained in:
djm@openbsd.org 2023-07-19 13:56:33 +00:00 committed by Damien Miller
parent 892506b136
commit 1f2731f5d7
No known key found for this signature in database
2 changed files with 43 additions and 6 deletions

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
.\" $OpenBSD: ssh-agent.1,v 1.76 2023/07/19 13:56:33 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: October 7 2022 $
.Dd $Mdocdate: July 19 2023 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@ -107,9 +107,27 @@ environment variable).
.It Fl O Ar option
Specify an option when starting
.Nm .
Currently only one option is supported:
Currently two options are supported:
.Cm allow-remote-pkcs11
and
.Cm no-restrict-websafe .
This instructs
.Pp
The
.Cm allow-remote-pkcs11
option allows clients of a forwarded
.Nm
to load PKCS#11 or FIDO provider libraries.
By default only local clients may perform this operation.
Note that signalling that a
.Nm
client remote is performed by
.Xr ssh 1 ,
and use of other tools to forward access to the agent socket may circumvent
this restriction.
.Pp
The
.Cm no-restrict-websafe ,
instructs
.Nm
to permit signatures using FIDO keys that might be web authentication
requests.

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.299 2023/07/10 04:51:26 djm Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
/* Pattern-list of allowed PKCS#11/Security key paths */
static char *allowed_providers;
/*
* Allows PKCS11 providers or SK keys that use non-internal providers to
* be added over a remote connection (identified by session-bind@openssh.com).
*/
static int remote_add_provider;
/* locking */
#define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16
@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
if (strcasecmp(sk_provider, "internal") == 0) {
debug_f("internal provider");
} else {
if (e->nsession_ids != 0 && !remote_add_provider) {
verbose("failed add of SK provider \"%.100s\": "
"remote addition of providers is disabled",
sk_provider);
goto out;
}
if (realpath(sk_provider, canonical_provider) == NULL) {
verbose("failed provider \"%.100s\": "
"realpath: %s", sk_provider,
@ -1391,6 +1403,11 @@ process_add_smartcard_key(SocketEntry *e)
error_f("failed to parse constraints");
goto send;
}
if (e->nsession_ids != 0 && !remote_add_provider) {
verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
"providers is disabled", provider);
goto send;
}
if (realpath(provider, canonical_provider) == NULL) {
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
provider, strerror(errno));
@ -2051,6 +2068,8 @@ main(int ac, char **av)
case 'O':
if (strcmp(optarg, "no-restrict-websafe") == 0)
restrict_websafe = 0;
else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
remote_add_provider = 1;
else
fatal("Unknown -O option");
break;