| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
if a credential with matching application and user ID strings already exists.
if so, prompt the user for confirmation before overwriting the credential.
patch from Pedro Martelletto via GHPR329
NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware
implementations will need to adjust
OpenBSD-Commit-ID: e45e9f1bf2b2f32d9850669e7a8dbd64acc5fca4
|
|
|
|
| |
Analysis/fix from kircher in bz3443; ok dtucker@
|
|
|
|
|
|
| |
From Pedro Martelletto; ok dtucker & me
OpenBSD-Commit-ID: 47be40d602b7a6458c4c71114df9b53d149fc2e9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports
on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag
in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities
again and check whether the token is able (right now) to perform user-
verification without a PIN. If it is then the PIN prompt is bypassed
and user verification delegated to the token. If not (e.g. the token
is biometric capable, but no biometric are enrolled), then fall back
to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
OpenBSD-Commit-ID: e318a8c258d9833a0b7eb0236cdb68b5143b2f27
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
back the user ID that was used when the key was created and append it to the
filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple
resident keys with the same application string but different
user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
OpenBSD-Commit-ID: dbd658b5950f583106d945641a634bc6562dd3a3
|
|
|
|
| |
ok dtucker
|
|
|
|
| |
OpenBSD-Commit-ID: d9fbce14945721061cb322f0084c2165d33d1993
|
|
|
|
|
|
|
| |
from https://github.com/openssh/openssh-portable/pull/225 by
ZenithalHourlyRate
OpenBSD-Commit-ID: 28d7259ce1b04d025411464decfa2f1a097b43eb
|
|
|
|
|
|
| |
__func__ and appending ssh_err(r) manually; ok markus@
OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
|
|
|
|
|
|
|
|
|
| |
the data needed to verify the attestation. Previously we were missing the
"authenticator data" that is included in the signature.
spotted by Ian Haken
feedback Pedro Martelletto and Ian Haken; ok markus@
OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
|
|
|
|
|
|
|
|
|
|
|
| |
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
|
|
|
|
|
|
|
|
| |
hashing in the middleware layer rather than in ssh code. This allows
middlewares that call APIs that perform the hashing implicitly (including
Microsoft's AFAIK). ok markus@
OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
|
|
|
|
| |
OpenBSD-Commit-ID: 52bf733df220303c260fee4f165ec64b4a977625
|
|
|
|
|
|
| |
function and SecurityKeyProvider is empty
OpenBSD-Commit-ID: e56602c2ee8c82f835d30e4dc8ee2e4a7896be24
|
|
|
|
|
|
|
|
|
|
|
| |
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to a useful
ssherr.h status code. more detail remains visible via -v of course.
also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.
feedback & ok markus@
OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.
feedback and ok markus@
OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
|
|
|
|
| |
OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.
feedback and ok markus@
OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a sk_load_resident_keys() function to the security key
API that accepts a security key provider and a PIN and returns
a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
|
|
|
|
|
|
|
|
| |
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273
|
|
|
|
|
|
|
|
|
|
|
| |
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
|
|
|
|
|
|
| |
from Michael Forney
OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
|
|
|
|
|
|
|
|
|
| |
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you
update both your clients and servers.
OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
|
|
|
|
|
|
| |
addition; ok djm@
OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474
|
|
|
|
| |
OpenBSD-Commit-ID: 2bf336d3be0b7e3dd97920d7e7471146a281d2b9
|
|
|
|
| |
OpenBSD-Commit-ID: 4c70300609a5c8b19707207bb7ad4109e963b0e8
|
|
|
|
|
|
|
|
| |
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
|
|
|
|
| |
OpenBSD-Commit-ID: 34198084e4afb424a859f52c04bb2c9668a52867
|
|
|
|
|
|
|
|
|
| |
security key enrollment - these are possible for tokens that only offer self-
attestation. This also needs support from the middleware.
ok markus@
OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc
|
|
|
|
| |
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
|
|
|
|
| |
OpenBSD-Commit-ID: 1a1e6a85b5f465d447a3800f739e35c5b74e0abc
|
|
|
|
| |
OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
|
|
|
|
| |
OpenBSD-Commit-ID: af9ec838b9bc643786310b5caefc4ca4754e68c6
|
|
|
|
| |
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
|
|
|
|
| |
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
|
|
|
|
| |
OpenBSD-Commit-ID: 07e41997b542f670a15d7e2807143fe01efef584
|
|
|
|
| |
OpenBSD-Commit-ID: 2313761a3a84ccfe032874d638d3c363e0f14026
|
|
|
|
|
| |
Mostly following existing logic for PKCS#11 - turning off support
when either libcrypto or dlopen(3) are unavailable.
|
|
Supports enrolling (generating) keys and signatures.
feedback & ok markus@
OpenBSD-Commit-ID: 73d1dd5939454f9c7bd840f48236cba41e8ad592
|