From 3093d12ff80927cf45da08d9f262a26680fb14ee Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Dec 2019 09:49:52 +0000 Subject: [PATCH] upstream: Remove the -x option currently used for FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1 --- ssh-keygen.1 | 39 ++++++++++++++++++++++++--------------- ssh-keygen.c | 45 ++++++++++++++++++++++----------------------- 2 files changed, 46 insertions(+), 38 deletions(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9afb92943..1f4edace5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -48,10 +48,10 @@ .Op Fl C Ar comment .Op Fl f Ar output_keyfile .Op Fl m Ar format +.Op Fl O Ar option .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl N Ar new_passphrase .Op Fl w Ar provider -.Op Fl x Ar flags .Nm ssh-keygen .Fl p .Op Fl f Ar keyfile @@ -453,7 +453,28 @@ listed in the .Sx MODULI GENERATION section may be specified. .Pp -This option may be specified multiple times. +When generating a key that will be hosted on a FIDO authenticator, this +flag may be used to specify key-specific options. +Two FIDO authenticator options are supported at present: +.Pp +.Cm no-touch-required +indicates that the generated private key should not require touch +events (user presence) when making signatures. +Note that +.Xr sshd 8 +will refuse such signatures by default, unless overridden via +an authorized_keys option. +.Pp +.Cm resident +indicates that the key should be stored on the FIDO authenticator itself. +Resident keys may be supported on FIDO2 tokens and typically require that +a PIN be set on the token prior to generation. +Resident keys may be loaded off the token using +.Xr ssh-add 1 . +.Pp +The +.Fl O +option may be specified multiple times. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -573,18 +594,6 @@ The maximum is 3. Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. -.It Fl x Ar flags -Specifies the authenticator flags to use when enrolling an authenticator-hosted -key. -Flags may be specified by name or directly as a hexadecimal value. -Only one named flag is supported at present: -.Cm no-touch-required , -which indicates that the generated private key should not require touch -events (user presence) when making signatures. -Note that -.Xr sshd 8 -will refuse such signatures by default, unless overridden via -an authorized_keys option. .It Fl Y Cm check-novalidate Checks that a signature generated using .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 696891e0e..3640a3c37 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.380 2019/12/30 09:49:52 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2932,7 +2932,7 @@ main(int argc, char **argv) int prefer_agent = 0, convert_to = 0, convert_from = 0; int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; int do_gen_candidates = 0, do_screen_candidates = 0; - unsigned long long ull, cert_serial = 0; + unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; size_t i, nopts = 0; u_int32_t bits = 0; @@ -2965,10 +2965,10 @@ main(int argc, char **argv) sk_provider = getenv("SSH_SK_PROVIDER"); - /* Remaining characters: dGjJKSTW */ + /* Remaining characters: dGjJKSTWx */ while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvy" "C:D:E:F:I:M:N:O:P:R:V:Y:Z:" - "a:b:f:g:m:n:r:s:t:w:x:z:")) != -1) { + "a:b:f:g:m:n:r:s:t:w:z:")) != -1) { switch (opt) { case 'A': gen_all_hostkeys = 1; @@ -3130,25 +3130,6 @@ main(int argc, char **argv) case 'w': sk_provider = optarg; break; - case 'x': - if (*optarg == '\0') - fatal("Missing security key flags"); - if (strcasecmp(optarg, "no-touch-required") == 0) - sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; - else if (strcasecmp(optarg, "resident") == 0) - sk_flags |= SSH_SK_RESIDENT_KEY; - else { - ull = strtoull(optarg, &ep, 0); - if (*ep != '\0') - fatal("Security key flags \"%s\" is " - "not a number", optarg); - if (ull > 0xff) { - fatal("Invalid security key " - "flags 0x%llx", ull); - } - sk_flags = (uint8_t)ull; - } - break; case 'z': errno = 0; if (*optarg == '+') { @@ -3361,6 +3342,20 @@ main(int argc, char **argv) switch (type) { case KEY_ECDSA_SK: case KEY_ED25519_SK: + for (i = 0; i < nopts; i++) { + if (strcasecmp(opts[i], "no-touch-required") == 0) { + sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; + } else if (strcasecmp(opts[i], "resident") == 0) { + sk_flags |= SSH_SK_RESIDENT_KEY; + } else { + fatal("Option \"%s\" is unsupported for " + "FIDO authenticator enrollment", opts[i]); + } + } + if (!quiet) { + printf("You may need to touch your security key " + "to authorize key generation.\n"); + } passphrase1 = NULL; for (i = 0 ; i < 3; i++) { if (!quiet) { @@ -3375,9 +3370,13 @@ main(int argc, char **argv) break; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) exit(1); /* error message already printed */ + if (passphrase1 != NULL) + freezero(passphrase1, strlen(passphrase1)); passphrase1 = read_passphrase("Enter PIN for security " "key: ", RP_ALLOW_STDIN); } + if (passphrase1 != NULL) + freezero(passphrase1, strlen(passphrase1)); if (i > 3) fatal("Too many incorrect PINs"); break;