diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 03:07:09 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 03:28:36 +0200 |
| commit | 801c9f095e6d8b7b91aefd98f5001c652ea13488 (patch) | |
| tree | 6c6416d6d926939b208eb1f1181f196a554e0734 /servconf.h | |
| parent | upstream: support for user-verified FIDO keys (diff) | |
| download | openssh-801c9f095e6d8b7b91aefd98f5001c652ea13488.tar.xz openssh-801c9f095e6d8b7b91aefd98f5001c652ea13488.zip | |
upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
Diffstat (limited to 'servconf.h')
| -rw-r--r-- | servconf.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/servconf.h b/servconf.h index 8422f3f51..1df8f3db8 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.145 2020/07/05 23:59:45 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.146 2020/08/27 01:07:10 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -50,7 +50,8 @@ #define INTERNAL_SFTP_NAME "internal-sftp" /* PubkeyAuthOptions flags */ -#define PUBKEYAUTH_TOUCH_REQUIRED 1 +#define PUBKEYAUTH_TOUCH_REQUIRED (1) +#define PUBKEYAUTH_VERIFY_REQUIRED (1<<1) struct ssh; struct fwd_perm_list; |