]> git.ipfire.org Git - thirdparty/openssh-portable.git/commit
projects / thirdparty / openssh-portable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 892506b) | patch
upstream: Disallow remote addition of FIDO/PKCS11 provider
authordjm@openbsd.org <djm@openbsd.org>
Wed, 19 Jul 2023 13:56:33 +0000 (13:56 +0000)
committerDamien Miller <djm@mindrot.org>
Wed, 19 Jul 2023 14:18:27 +0000 (00:18 +1000)
commit1f2731f5d7a8f8a8385c6031667ed29072c0d92a
tree1b3b36cf35f0590f8dd40b306823879bdd2ac9fdtree | snapshot
parent892506b13654301f69f9545f48213fc210e5c5cccommit | diff
upstream: Disallow remote addition of FIDO/PKCS11 provider

libraries to ssh-agent by default.

The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.

Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.

ok markus@

OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
ssh-agent.1 diff | blob | blame | history
ssh-agent.c diff | blob | blame | history
Mirror of https://github.com/openssh/openssh-portable.git