From 801c9f095e6d8b7b91aefd98f5001c652ea13488 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 27 Aug 2020 01:07:09 +0000 Subject: upstream: support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6 --- servconf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index 67581ccf2..1bc7ee31a 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.367 2020/07/05 23:59:45 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.368 2020/08/27 01:07:09 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1527,6 +1527,8 @@ process_server_config_line_depth(ServerOptions *options, char *line, continue; if (strcasecmp(arg, "touch-required") == 0) value |= PUBKEYAUTH_TOUCH_REQUIRED; + else if (strcasecmp(arg, "verify-required") == 0) + value |= PUBKEYAUTH_VERIFY_REQUIRED; else { fatal("%s line %d: unsupported " "PubkeyAuthOptions option %s", @@ -2937,5 +2939,7 @@ dump_config(ServerOptions *o) printf(" none"); if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED) printf(" touch-required"); + if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED) + printf(" verify-required"); printf("\n"); } -- cgit v1.2.3