summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2024-11-06 23:51:26 +0100
committerDamien Miller <djm@mindrot.org>2024-11-07 00:49:13 +0100
commit82662d562cf54829df8a941cdfb2fd307e1d9a90 (patch)
tree7be68075a222bfba45111bb406e1da8cd911b1b2
parentupstream: Ignore extra groups that don't fit in the buffer passed (diff)
downloadopenssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.tar.xz
openssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.zip
upstream: ssh-agent implemented an all-or-nothing allow-list of
FIDO application IDs for security key-backed keys, to prevent web key handles from being used remotely as this would likely lead to unpleasant surprises. By default, only application IDs that start with "ssh:*" are allowed. This adds a -Owebsafe-allow=... argument that can override the default list with a more or less restrictive one. The default remains unchanged. ok markus@ OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
-rw-r--r--ssh-agent.126
-rw-r--r--ssh-agent.c19
2 files changed, 35 insertions, 10 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1
index e5f9b0e33..2f5b091ee 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.80 2024/10/24 03:15:47 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.81 2024/11/06 22:51:26 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: October 24 2024 $
+.Dd $Mdocdate: November 6 2024 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -107,10 +107,11 @@ environment variable).
.It Fl O Ar option
Specify an option when starting
.Nm .
-Currently two options are supported:
-.Cm allow-remote-pkcs11
+The supported options are:
+.Cm allow-remote-pkcs11 ,
+.Cm no-restrict-websafe
and
-.Cm no-restrict-websafe .
+.Cm websafe-allow .
.Pp
The
.Cm allow-remote-pkcs11
@@ -143,6 +144,16 @@ user authentication request or a
signature.
The default behaviour prevents forwarded access to a FIDO key from also
implicitly forwarding the ability to authenticate to websites.
+.Pp
+Alternately the
+.Cm websafe-allow
+option allows specifying a pattern-list of key application strings to
+replace the default application allow-list, for example:
+.Dq websafe-allow=ssh:*,example.org,*.example.com
+.Pp
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
.It Fl P Ar allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
authenticator middleware shared libraries that may be used with the
@@ -152,11 +163,12 @@ or
options to
.Xr ssh-add 1 .
Libraries that do not match the pattern list will be refused.
+The default list is
+.Dq usr/lib*/*,/usr/local/lib*/* .
+.Pp
See PATTERNS in
.Xr ssh_config 5
for a description of pattern-list syntax.
-The default list is
-.Dq usr/lib*/*,/usr/local/lib*/* .
.It Fl s
Generate Bourne shell commands on
.Dv stdout .
diff --git a/ssh-agent.c b/ssh-agent.c
index 55f3a8520..96c25b9d5 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.308 2024/10/24 03:15:47 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.309 2024/11/06 22:51:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -94,6 +94,9 @@
#ifndef DEFAULT_ALLOWED_PROVIDERS
# define DEFAULT_ALLOWED_PROVIDERS "/usr/lib*/*,/usr/local/lib*/*"
#endif
+#ifndef DEFAULT_WEBSAFE_ALLOWLIST
+# define DEFAULT_WEBSAFE_ALLOWLIST "ssh:*"
+#endif
/* Maximum accepted message length */
#define AGENT_MAX_LEN (256*1024)
@@ -198,6 +201,7 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
+static char *websafe_allowlist;
static void
close_socket(SocketEntry *e)
@@ -925,7 +929,8 @@ process_sign_request2(SocketEntry *e)
}
if (sshkey_is_sk(id->key)) {
if (restrict_websafe &&
- strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+ match_pattern_list(id->key->sk_application,
+ websafe_allowlist, 0) != 1 &&
!check_websafe_message_contents(key, data)) {
/* error already logged */
goto send;
@@ -2212,6 +2217,7 @@ main(int ac, char **av)
int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
int sock, ch, result, saved_errno;
char *shell, *format, *pidstr, *agentsocket = NULL;
+ const char *ccp;
#ifdef HAVE_SETRLIMIT
struct rlimit rlim;
#endif
@@ -2264,7 +2270,12 @@ main(int ac, char **av)
restrict_websafe = 0;
else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
remote_add_provider = 1;
- else
+ else if ((ccp = strprefix(optarg,
+ "websafe-allow=", 0)) != NULL) {
+ if (websafe_allowlist != NULL)
+ fatal("websafe-allow already set");
+ websafe_allowlist = xstrdup(ccp);
+ } else
fatal("Unknown -O option");
break;
case 'P':
@@ -2308,6 +2319,8 @@ main(int ac, char **av)
if (allowed_providers == NULL)
allowed_providers = xstrdup(DEFAULT_ALLOWED_PROVIDERS);
+ if (websafe_allowlist == NULL)
+ websafe_allowlist = xstrdup(DEFAULT_WEBSAFE_ALLOWLIST);
if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL");