Commit Graph

322 Commits

Author SHA1 Message Date
djm@openbsd.org
3991a0cf94
upstream: actually hook up restrict_websafe; the command-line flag
was never actually used. Spotted by Matthew Garrett

OpenBSD-Commit-ID: 0b363518ac4c2819dbaa3dfad4028633ab9cdff1
2022-09-17 20:37:20 +10:00
djm@openbsd.org
940dc10729
upstream: a little extra debugging
OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a
2022-09-14 10:16:05 +10:00
djm@openbsd.org
4b5f91cb95
upstream: ssh-agent: attempt FIDO key signing without PIN and use
the error to determine whether a PIN is required and prompt only if
necessary. from Corinna Vinschen

OpenBSD-Commit-ID: dd6be6a0b7148608e834ee737c3479b3270b00dd
2022-09-14 10:16:05 +10:00
djm@openbsd.org
0ba39b93b3
upstream: notifier_complete(NULL, ...) is a noop, so no need to test
that ctx!=NULL; from Corinna Vinschen

OpenBSD-Commit-ID: ade2f2e9cc519d01a586800c25621d910bce384a
2022-09-09 13:38:14 +10:00
djm@openbsd.org
247082b501 upstream: fix memleak on session-bind path; from Pedro Martelletto, ok
dtucker@

OpenBSD-Commit-ID: e85899a26ba402b4c0717b531317e8fc258f0a7e
2022-04-29 13:18:31 +10:00
djm@openbsd.org
39d17e189f upstream: allow pin-required FIDO keys to be added to ssh-agent(1).
ssh-askpass will be used to request the PIN at authentication time.

From Pedro Martelletto, ok djm

OpenBSD-Commit-ID: de8189fcd35b45f632484864523c1655550e2950
2022-01-18 10:00:35 +11:00
dtucker@openbsd.org
72bcd7993d upstream: Don't log NULL hostname in restricted agent code,
printf("%s", NULL) is not safe on all platforms.  with & ok djm

OpenBSD-Commit-ID: faf10cdae4adde00cdd668cd1f6e05d0a0e32a02
2022-01-12 15:19:21 +11:00
djm@openbsd.org
a23698c308 upstream: fix memleak in process_extension(); oss-fuzz issue #42719
OpenBSD-Commit-ID: d8d49f840162fb7b8949e3a5adb8107444b6de1e
2022-01-01 15:19:48 +11:00
jsg@openbsd.org
cb885178f3 upstream: spelling ok dtucker@
OpenBSD-Commit-ID: bfc7ba74c22c928de2e257328b3f1274a3dfdf19
2022-01-01 15:19:48 +11:00
Damien Miller
715c892f0a remove sys/param.h in -portable, after upstream 2021-12-22 09:02:50 +11:00
djm@openbsd.org
a6d7677c4a upstream: Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.

The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.

ok markus@

OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
2021-12-20 09:28:07 +11:00
djm@openbsd.org
baaff0ff43 upstream: agent support for parsing hostkey-bound signatures
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.

Extract hostkey from these blobs.

ok markus@

OpenBSD-Commit-ID: 81c064255634c1109477dc65c3e983581d336df8
2021-12-20 09:28:07 +11:00
djm@openbsd.org
39f00dcf44 upstream: ssh-agent side of destination constraints
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.

Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.

feedback Jann Horn & markus@
ok markus@

OpenBSD-Commit-ID: 84a7fb81106c2d609a6ac17469436df16d196319
2021-12-20 09:27:06 +11:00
djm@openbsd.org
4c1e3ce85e upstream: ssh-agent side of binding
record session ID/hostkey/forwarding status for each active socket.

Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.

ok markus@

OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
2021-12-20 09:24:42 +11:00
djm@openbsd.org
875408270c upstream: check for POLLHUP wherever we check for POLLIN
OpenBSD-Commit-ID: 6aa6f3ec6b17c3bd9bfec672a917f003a76d93e5
2021-11-18 14:32:54 +11:00
djm@openbsd.org
31d8d231eb upstream: highly polished whitespace, mostly fixing spaces-for-tab
and bad indentation on continuation lines. Prompted by GHPR#185

OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
2021-04-03 17:23:02 +11:00
djm@openbsd.org
e04fd6dde1 upstream: factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own
function and remove an unused variable; ok dtucker@

OpenBSD-Commit-ID: e1a938657fbf7ef0ba5e73b30365734a0cc96559
2021-02-17 15:03:41 +11:00
djm@openbsd.org
3287790e78 upstream: memleak on error path; ok markus@
OpenBSD-Commit-ID: 2091a36d6ca3980c81891a6c4bdc544e63cb13a8
2021-02-05 13:38:57 +11:00
djm@openbsd.org
1a4b927586 upstream: fix the values of enum sock_type
OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
2021-01-30 11:58:31 +11:00
djm@openbsd.org
8afaa7d791 upstream: give typedef'd struct a struct name; makes the fuzzer I'm
writing a bit easier

OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
2021-01-30 11:58:31 +11:00
dtucker@openbsd.org
d1532d9007 upstream: Logical not bitwise or. ok djm@
OpenBSD-Commit-ID: d4dc855cf04951b93c45caa383e1ac9af0a3b0e5
2021-01-27 11:45:50 +11:00
dtucker@openbsd.org
e26c980778 upstream: Remove unused variables leftover from refactoring. ok
djm@

OpenBSD-Commit-ID: 8b3ad58bff828fcf874e54b2fc27a4cf1d9505e8
2021-01-26 22:50:40 +11:00
djm@openbsd.org
37c70ea8d4 upstream: refactor key constraint parsing in ssh-agent
Key constraints parsing code previously existed in both the "add regular
key" and "add smartcard key" path. This unifies them but also introduces
more consistency checking: duplicated constraints and constraints that
are nonsensical for a particular situation (e.g. FIDO provider for a
smartcard key) are now banned.

ok markus@

OpenBSD-Commit-ID: 511cb1b1c021ee1d51a4c2d649b937445de7983c
2021-01-26 12:21:48 +11:00
djm@openbsd.org
e0e8bee802 upstream: more ssh-agent refactoring
Allow confirm_key() to accept an additional reason suffix

Factor publickey userauth parsing out into its own function and allow
it to optionally return things it parsed out of the message to its
caller.

feedback/ok markus@

OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
2021-01-26 12:21:48 +11:00
djm@openbsd.org
1fe16fd61b upstream: use recallocarray to allocate the agent sockets table;
also clear socket entries that are being marked as unused.

spinkle in some debug2() spam to make it easier to watch an agent
do its thing.

ok markus

OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
2021-01-26 12:21:48 +11:00
dtucker@openbsd.org
6d30673fed upstream: Change convtime() from returning long to returning int.
On platforms where sizeof(int) != sizeof(long), convtime could accept values
>MAX_INT which subsequently truncate when stored in an int during config
parsing.  bz#3250, ok djm@

OpenBSD-Commit-ID: 8fc932683d6b4660d52f50911d62bd6639c5db31
2021-01-11 15:04:12 +11:00
djm@openbsd.org
d5a0cd4fc4 upstream: when requesting a security key touch on stderr, inform the
user once the touch has been recorded; requested by claudio@ ok markus@

OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233
2020-11-09 09:39:22 +11:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
396d32f3a1 upstream: There are lots of place where we want to redirect stdin,
stdout and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these to redirect.
ok markus@

OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099
2020-10-03 19:34:24 +10:00
djm@openbsd.org
52a03e9fca upstream: handle multiple messages in a single read()
PR#183 by Dennis Kaarsemaker; feedback and ok markus@

OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
2020-09-18 18:17:59 +10:00
djm@openbsd.org
9b8ad93824 upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
2020-08-27 11:28:36 +10:00
djm@openbsd.org
6d755706a0 upstream: some language improvements; ok markus
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
2020-07-15 15:07:42 +10:00
jmc@openbsd.org
b659319a5b upstream: updated argument name for -P in first synopsis was
missed in previous;

OpenBSD-Commit-ID: 8d84dc3050469884ea91e29ee06a371713f2d0b7
2020-06-26 15:18:07 +10:00
djm@openbsd.org
fc270baf26 upstream: better terminology for permissions; feedback & ok markus@
OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c
2020-06-22 16:11:14 +10:00
dtucker@openbsd.org
00531bb42f upstream: Correct synopsis and usage for the options accepted when
passing a command to ssh-agent.  ok jmc@

OpenBSD-Commit-ID: b36f0679cb0cac0e33b361051b3406ade82ea846
2020-06-22 16:11:14 +10:00
djm@openbsd.org
0c111eb84e upstream: Restrict ssh-agent from signing web challenges for FIDO
keys.

When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently pubkey authentication and sshsig signatures).

This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.

Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.

ok markus@

OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
2020-05-27 10:14:45 +10:00
markus@openbsd.org
8fae395f34 upstream: initialize seconds for debug message; ok djm
OpenBSD-Commit-ID: 293fbefe6d00b4812a180ba02e26170e4c855b81
2020-03-13 13:18:31 +11:00
jsg@openbsd.org
d5ba1c0327 upstream: change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
2020-02-28 12:26:28 +11:00
naddy@openbsd.org
a47f6a6c0e upstream: Replace "security key" with "authenticator" in program
messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
2020-02-07 09:52:59 +11:00
djm@openbsd.org
e5a278a62a upstream: process security key provider via realpath() in agent,
avoids malicious client from being able to cause agent to load arbitrary
libraries into ssh-sk-helper.

reported by puck AT puckipedia.com; ok markus

OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
2020-01-25 11:35:56 +11:00
djm@openbsd.org
89a8d4525e upstream: expose PKCS#11 key labels/X.509 subjects as comments
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.

based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church

feedback and ok markus@

OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25 11:35:55 +11:00
dtucker@openbsd.org
3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
djm@openbsd.org
b52ec0ba39 upstream: use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*

requested by, feedback and ok markus@

OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-12-14 07:17:44 +11:00
jmc@openbsd.org
4402d6c9b5 upstream: revert previous: naddy pointed out what's meant to
happen. rethink needed...

OpenBSD-Commit-ID: fb0fede8123ea7f725fd65e00d49241c40bd3421
2019-11-20 09:27:29 +11:00
jmc@openbsd.org
88056f8813 upstream: -c and -s do not make sense with -k; reshuffle -k into
the main synopsis/usage; ok djm

OpenBSD-Commit-ID: f881ba253da015398ae8758d973e3390754869bc
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
189550f5bc upstream: additional missing stdarg.h includes when built without
WITH_OPENSSL; ok djm@

OpenBSD-Commit-ID: 881f9a2c4e2239849cee8bbf4faec9bab128f55b
2019-11-20 09:27:29 +11:00
djm@openbsd.org
05daa211de upstream: always use ssh-sk-helper, even for the internal USB HID
support. This avoid the need for a wpath pledge in ssh-agent.

reported by jmc@

OpenBSD-Commit-ID: 19f799c4d020b870741d221335dbfa5e76691c23
2019-11-17 09:44:43 +11:00
djm@openbsd.org
c63fba5e34 upstream: unshield security key privkey before attempting signature
in agent. spotted by dtucker@

OpenBSD-Commit-ID: fb67d451665385b8a0a55371231c50aac67b91d2
2019-11-15 16:39:31 +11:00
djm@openbsd.org
ab36006653 upstream: don't consult dlopen whitelist for internal security key
provider; spotted by dtucker@

OpenBSD-Commit-ID: bfe5fbd17e4ff95dd85b9212181652b54444192e
2019-11-15 15:14:00 +11:00
djm@openbsd.org
45ffa36988 upstream: show the "please touch your security key" notifier when
using the (default) build-in security key support.

OpenBSD-Commit-ID: 4707643aaa7124501d14e92d1364b20f312a6428
2019-11-15 13:41:40 +11:00