diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-11-06 23:51:26 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-11-07 00:49:13 +0100 |
| commit | 82662d562cf54829df8a941cdfb2fd307e1d9a90 (patch) | |
| tree | 7be68075a222bfba45111bb406e1da8cd911b1b2 /ssh-agent.c | |
| parent | upstream: Ignore extra groups that don't fit in the buffer passed (diff) | |
| download | openssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.tar.xz openssh-82662d562cf54829df8a941cdfb2fd307e1d9a90.zip | |
upstream: ssh-agent implemented an all-or-nothing allow-list of
FIDO application IDs for security key-backed keys, to prevent web key handles
from being used remotely as this would likely lead to unpleasant surprises.
By default, only application IDs that start with "ssh:*" are allowed.
This adds a -Owebsafe-allow=... argument that can override the default
list with a more or less restrictive one. The default remains unchanged.
ok markus@
OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
Diffstat (limited to '')
| -rw-r--r-- | ssh-agent.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index 55f3a8520..96c25b9d5 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.308 2024/10/24 03:15:47 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.309 2024/11/06 22:51:26 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -94,6 +94,9 @@ #ifndef DEFAULT_ALLOWED_PROVIDERS # define DEFAULT_ALLOWED_PROVIDERS "/usr/lib*/*,/usr/local/lib*/*" #endif +#ifndef DEFAULT_WEBSAFE_ALLOWLIST +# define DEFAULT_WEBSAFE_ALLOWLIST "ssh:*" +#endif /* Maximum accepted message length */ #define AGENT_MAX_LEN (256*1024) @@ -198,6 +201,7 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; +static char *websafe_allowlist; static void close_socket(SocketEntry *e) @@ -925,7 +929,8 @@ process_sign_request2(SocketEntry *e) } if (sshkey_is_sk(id->key)) { if (restrict_websafe && - strncmp(id->key->sk_application, "ssh:", 4) != 0 && + match_pattern_list(id->key->sk_application, + websafe_allowlist, 0) != 1 && !check_websafe_message_contents(key, data)) { /* error already logged */ goto send; @@ -2212,6 +2217,7 @@ main(int ac, char **av) int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0; int sock, ch, result, saved_errno; char *shell, *format, *pidstr, *agentsocket = NULL; + const char *ccp; #ifdef HAVE_SETRLIMIT struct rlimit rlim; #endif @@ -2264,7 +2270,12 @@ main(int ac, char **av) restrict_websafe = 0; else if (strcmp(optarg, "allow-remote-pkcs11") == 0) remote_add_provider = 1; - else + else if ((ccp = strprefix(optarg, + "websafe-allow=", 0)) != NULL) { + if (websafe_allowlist != NULL) + fatal("websafe-allow already set"); + websafe_allowlist = xstrdup(ccp); + } else fatal("Unknown -O option"); break; case 'P': @@ -2308,6 +2319,8 @@ main(int ac, char **av) if (allowed_providers == NULL) allowed_providers = xstrdup(DEFAULT_ALLOWED_PROVIDERS); + if (websafe_allowlist == NULL) + websafe_allowlist = xstrdup(DEFAULT_WEBSAFE_ALLOWLIST); if (ac == 0 && !c_flag && !s_flag) { shell = getenv("SHELL"); |