diff options
author | djm@openbsd.org <djm@openbsd.org> | 2024-11-06 23:51:26 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2024-11-07 00:49:13 +0100 |
commit | 82662d562cf54829df8a941cdfb2fd307e1d9a90 (patch) | |
tree | 7be68075a222bfba45111bb406e1da8cd911b1b2 | |
parent | upstream: Ignore extra groups that don't fit in the buffer passed (diff) | |
download | openssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.tar.xz openssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.zip |
upstream: ssh-agent implemented an all-or-nothing allow-list of
FIDO application IDs for security key-backed keys, to prevent web key handles
from being used remotely as this would likely lead to unpleasant surprises.
By default, only application IDs that start with "ssh:*" are allowed.
This adds a -Owebsafe-allow=... argument that can override the default
list with a more or less restrictive one. The default remains unchanged.
ok markus@
OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
-rw-r--r-- | ssh-agent.1 | 26 | ||||
-rw-r--r-- | ssh-agent.c | 19 |
2 files changed, 35 insertions, 10 deletions
diff --git a/ssh-agent.1 b/ssh-agent.1 index e5f9b0e33..2f5b091ee 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.80 2024/10/24 03:15:47 djm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.81 2024/11/06 22:51:26 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 24 2024 $ +.Dd $Mdocdate: November 6 2024 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -107,10 +107,11 @@ environment variable). .It Fl O Ar option Specify an option when starting .Nm . -Currently two options are supported: -.Cm allow-remote-pkcs11 +The supported options are: +.Cm allow-remote-pkcs11 , +.Cm no-restrict-websafe and -.Cm no-restrict-websafe . +.Cm websafe-allow . .Pp The .Cm allow-remote-pkcs11 @@ -143,6 +144,16 @@ user authentication request or a signature. The default behaviour prevents forwarded access to a FIDO key from also implicitly forwarding the ability to authenticate to websites. +.Pp +Alternately the +.Cm websafe-allow +option allows specifying a pattern-list of key application strings to +replace the default application allow-list, for example: +.Dq websafe-allow=ssh:*,example.org,*.example.com +.Pp +See PATTERNS in +.Xr ssh_config 5 +for a description of pattern-list syntax. .It Fl P Ar allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the @@ -152,11 +163,12 @@ or options to .Xr ssh-add 1 . Libraries that do not match the pattern list will be refused. +The default list is +.Dq usr/lib*/*,/usr/local/lib*/* . +.Pp See PATTERNS in .Xr ssh_config 5 for a description of pattern-list syntax. -The default list is -.Dq usr/lib*/*,/usr/local/lib*/* . .It Fl s Generate Bourne shell commands on .Dv stdout . diff --git a/ssh-agent.c b/ssh-agent.c index 55f3a8520..96c25b9d5 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.308 2024/10/24 03:15:47 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.309 2024/11/06 22:51:26 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -94,6 +94,9 @@ #ifndef DEFAULT_ALLOWED_PROVIDERS # define DEFAULT_ALLOWED_PROVIDERS "/usr/lib*/*,/usr/local/lib*/*" #endif +#ifndef DEFAULT_WEBSAFE_ALLOWLIST +# define DEFAULT_WEBSAFE_ALLOWLIST "ssh:*" +#endif /* Maximum accepted message length */ #define AGENT_MAX_LEN (256*1024) @@ -198,6 +201,7 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; +static char *websafe_allowlist; static void close_socket(SocketEntry *e) @@ -925,7 +929,8 @@ process_sign_request2(SocketEntry *e) } if (sshkey_is_sk(id->key)) { if (restrict_websafe && - strncmp(id->key->sk_application, "ssh:", 4) != 0 && + match_pattern_list(id->key->sk_application, + websafe_allowlist, 0) != 1 && !check_websafe_message_contents(key, data)) { /* error already logged */ goto send; @@ -2212,6 +2217,7 @@ main(int ac, char **av) int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0; int sock, ch, result, saved_errno; char *shell, *format, *pidstr, *agentsocket = NULL; + const char *ccp; #ifdef HAVE_SETRLIMIT struct rlimit rlim; #endif @@ -2264,7 +2270,12 @@ main(int ac, char **av) restrict_websafe = 0; else if (strcmp(optarg, "allow-remote-pkcs11") == 0) remote_add_provider = 1; - else + else if ((ccp = strprefix(optarg, + "websafe-allow=", 0)) != NULL) { + if (websafe_allowlist != NULL) + fatal("websafe-allow already set"); + websafe_allowlist = xstrdup(ccp); + } else fatal("Unknown -O option"); break; case 'P': @@ -2308,6 +2319,8 @@ main(int ac, char **av) if (allowed_providers == NULL) allowed_providers = xstrdup(DEFAULT_ALLOWED_PROVIDERS); + if (websafe_allowlist == NULL) + websafe_allowlist = xstrdup(DEFAULT_WEBSAFE_ALLOWLIST); if (ac == 0 && !c_flag && !s_flag) { shell = getenv("SHELL"); |