the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").
ok markus@
OpenBSD-Commit-ID: 4cdb2ca5017ec1ed7a9d33bda95c1d6a97b583b0
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.
Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.
Note: nothing in kex.c actually sets the new flag yet
ok markus@
OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.
feedback / ok markus@
OpenBSD-Commit-ID: 7ea01bb7238a560c1bfb426fda0c10a8aac07862
allow authentication methods to have one additional name beyond their
primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.
ok markus@
OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: 84a7fb81106c2d609a6ac17469436df16d196319
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: ef47fa9ec0e3c2a82e30d37ef616e245df73163e
record session ID/hostkey/forwarding status for each active socket.
Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.
ok markus@
OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.
ok markus@
OpenBSD-Commit-ID: 2f154844fe13167d3ab063f830d7455fcaa99135
keys a little more: ask the token whether a particular key belongs to it in
cases where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
Motivated by bz3366; by Pedro Martelletto
OpenBSD-Commit-ID: ffac7f3215842397800e1ae2e20229671a55a63d
The main change is that Niels Provos kindly agreed to rescind the
BSD license advertising clause, shifting them to the 3-term BSD
license.
This was the last thing in OpenSSH that used the advertising clause.
matching of principals names against an allowed signers file.
Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.
"doesn't bother me" deraadt@
OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries
that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364
OpenBSD-Commit-ID: 054d4dc1d6a99a2e6f8eebc48207b534057c154d
when using ca certs but not with simple key lifetimes within the allowed
signers file.
Since it returns the first keys principal it finds this could
result in a principal with an expired key even though a valid
one is just below.
patch from Fabian Stelzer; feedback/ok djm markus
OpenBSD-Commit-ID: b108ed0a76b813226baf683ab468dc1cc79e0905
Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.