upstream: allow "ssh-keygen -x no-touch-required" when generating a

security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.

feedback deraadt; ok markus@

OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 06aead3483bc687a97e83e08442eab936c8705bc..837238e4e782667cb4330009205114af5c07da30 100644 (file)
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $
+.\"    $OpenBSD: ssh-keygen.1,v 1.178 2019/11/25 00:55:58 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -679,6 +679,15 @@ internal support for USB HID keys.
 .It Fl x Ar flags
 Specifies the security key flags to use when enrolling a security key-hosted
 key.
+Flags may be specified by name or directly as a hexadecimal value.
+Only one named flag is supported at present:
+.Cm no-touch-required ,
+which indicates that the generated private key should not require touch
+events (user presence) when making signatures.
+Note that
+.Xr sshd 8
+will refuse such signatures by default, unless overridden via
+an authorized_keys option.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 16d196fc8679fbc2c621e79035cc1ef27a77ff0d..e939c5b574accb06beee67180695944cf77dc25b 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.372 2019/11/25 00:55:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2810,6 +2810,7 @@ main(int argc, char **argv)
        unsigned long long ull, cert_serial = 0;
        char *identity_comment = NULL, *ca_key_path = NULL;
        u_int32_t bits = 0;
+       uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
        FILE *f;
        const char *errstr;
        int log_level = SYSLOG_LEVEL_INFO;
@@ -2822,9 +2823,6 @@ main(int argc, char **argv)
        unsigned long start_lineno = 0, lines_to_process = 0;
        BIGNUM *start = NULL;
 #endif
-#ifdef ENABLE_SK
-       uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
-#endif
 
        extern int optind;
        extern char *optarg;
@@ -3015,15 +3013,19 @@ main(int argc, char **argv)
                case 'x':
                        if (*optarg == '\0')
                                fatal("Missing security key flags");
-                       ull = strtoull(optarg, &ep, 0);
-                       if (*ep != '\0')
-                               fatal("Security key flags \"%s\" is not a "
-                                   "number", optarg);
-                       if (ull > 0xff)
-                               fatal("Invalid security key flags 0x%llx", ull);
-#ifdef ENABLE_SK
-                       sk_flags = (uint8_t)ull;
-#endif
+                       if (strcasecmp(optarg, "no-touch-required") == 0)
+                               sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
+                       else {
+                               ull = strtoull(optarg, &ep, 0);
+                               if (*ep != '\0')
+                                       fatal("Security key flags \"%s\" is "
+                                           "not a number", optarg);
+                               if (ull > 0xff) {
+                                       fatal("Invalid security key "
+                                           "flags 0x%llx", ull);
+                               }
+                               sk_flags = (uint8_t)ull;
+                       }
                        break;
                case 'z':
                        errno = 0;