Attachment #2700 for bug #2436




	oPasswordAuthentication, oRSAAuthentication,
	oChallengeResponseAuthentication, oXAuthLocation,
	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
	oCertificateFile,
	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,

	{ "identityfile", oIdentityFile },
	{ "identityfile2", oIdentityFile },			/* obsolete */
	{ "identitiesonly", oIdentitiesOnly },
	{ "certificatefile", oCertificateFile },
	{ "hostname", oHostName },
	{ "hostkeyalias", oHostKeyAlias },
	{ "proxycommand", oProxyCommand },

}

void
add_certificate_file(Options *options, const char *path, int userprovided)
{
	int i;

	if (options->num_certificate_files >= SSH_MAX_CERTIFICATE_FILES)
		fatal("Too many certificate files specified (max %d)",
		    SSH_MAX_CERTIFICATE_FILES);

	/* Avoid registering duplicates */
	for (i = 0; i < options->num_certificate_files; i++) {
		if (options->certificate_file_userprovided[i] == userprovided &&
		    strcmp(options->certificate_files[i], path) == 0) {
			debug2("%s: ignoring duplicate key %s", __func__, path);
			return;
		}
	}

	options->certificate_file_userprovided[options->num_certificate_files] =
	    userprovided;
	options->certificate_files[options->num_certificate_files++] =
	    xstrdup(path);
}

void
add_identity_file(Options *options, const char *dir, const char *filename,
    int userprovided)
{

		}
		break;

	case oCertificateFile:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		if (*activep) {
			intptr = &options->num_certificate_files;
			if (*intptr >= SSH_MAX_CERTIFICATE_FILES) {
				fatal("%.200s line %d: Too many certificate "
				    "files specified (max %d).",
				    filename, linenum,
				    SSH_MAX_CERTIFICATE_FILES);
			}
			add_certificate_file(options, arg,
			    flags & SSHCONF_USERCONF);
		}
		break;

	case oXAuthLocation:
		charptr=&options->xauth_location;
		goto parse_string;

	options->hostkeyalgorithms = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->num_identity_files = 0;
	options->num_certificate_files = 0;
	options->hostname = NULL;
	options->host_key_alias = NULL;
	options->proxy_command = NULL;

Lines 95-100 typedef struct { Link Here

(-)a/readconf.h (+6 lines)
95	int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];	95	int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
96	struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];	96	struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];
97		97
		98	int num_certificate_files; /* Number of extra certificates for ssh. */
		99	char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
		100	int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
		101	struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
		102
98	/* Local TCP/IP forward requests. */	103	/* Local TCP/IP forward requests. */
99	int num_local_forwards;	104	int num_local_forwards;
100	struct Forward *local_forwards;	105	struct Forward *local_forwards;
Lines 194-198 void dump_client_config(Options o, const char host); Link Here
194	void add_local_forward(Options , const struct Forward );	199	void add_local_forward(Options , const struct Forward );
195	void add_remote_forward(Options , const struct Forward );	200	void add_remote_forward(Options , const struct Forward );
196	void add_identity_file(Options , const char , const char *, int);	201	void add_identity_file(Options , const char , const char *, int);
		202	void add_certificate_file(Options , const char , int);
197		203
198	#endif /* READCONF_H */	204	#endif /* READCONF_H */

Lines 63-68 Link Here

(-)a/ssh.1 (+28 lines)
63	.Op Fl S Ar ctl_path	63	.Op Fl S Ar ctl_path
64	.Op Fl W Ar host : Ns Ar port	64	.Op Fl W Ar host : Ns Ar port
65	.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun	65	.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
		66	.Op Fl z Ar certificate_file
66	.Oo Ar user Ns @ Oc Ns Ar hostname	67	.Oo Ar user Ns @ Oc Ns Ar hostname
67	.Op Ar command	68	.Op Ar command
68	.Ek	69	.Ek
Lines 304-309 It is possible to have multiple Link Here
304	.Fl i	305	.Fl i
305	options (and multiple identities specified in	306	options (and multiple identities specified in
306	configuration files).	307	configuration files).
		308	If no certificates have been explicitly specified by
		309	.Cm CertificateFile
		310	or the
		311	.Fl z
		312	flag,
307	.Nm	313	.Nm
308	will also try to load certificate information from the filename obtained	314	will also try to load certificate information from the filename obtained
309	by appending	315	by appending
Lines 468-473 For full details of the options listed below, and their possible values, see Link Here
468	.It CanonicalizeHostname	474	.It CanonicalizeHostname
469	.It CanonicalizeMaxDots	475	.It CanonicalizeMaxDots
470	.It CanonicalizePermittedCNAMEs	476	.It CanonicalizePermittedCNAMEs
		477	.It CertificateFile
471	.It ChallengeResponseAuthentication	478	.It ChallengeResponseAuthentication
472	.It CheckHostIP	479	.It CheckHostIP
473	.It Cipher	480	.It Cipher
Lines 772-777 Send log information using the Link Here
772	.Xr syslog 3	779	.Xr syslog 3
773	system module.	780	system module.
774	By default this information is sent to stderr.	781	By default this information is sent to stderr.
		782	.Pp
		783	.It Fl z Ar certificate_file
		784	Selects a file from which certificate information is loaded for public
		785	key authentication.
		786	For the certificate to be usable, the private key corresponding to
		787	.Ar certificate_file
		788	must also be available, whether via
		789	.Xr ssh_agent 1 ,
		790	a
		791	.Cm PKCS11Provider ,
		792	or through an
		793	.Cm IdentityFile
		794	specified on the command line or in configuration files.
		795	Certificate files may also be specified on a per-host basis in
		796	the configuration file using the
		797	.Cm CertificateFile
		798	option.
		799	It is possible to have multiple
		800	.Fl z
		801	options (and multiple certificates specified in
		802	configuration files).
775	.El	803	.El
776	.Pp	804	.Pp
777	.Nm	805	.Nm

Lines 193-199 usage(void) Link Here

(-)a/ssh.c (-8 / +63 lines)
193	" [-O ctl_cmd] [-o option] [-p port]\n"	193	" [-O ctl_cmd] [-o option] [-p port]\n"
194	" [-Q cipher \| cipher-auth \| mac \| kex \| key]\n"	194	" [-Q cipher \| cipher-auth \| mac \| kex \| key]\n"
195	" [-R address] [-S ctl_path] [-W host:port]\n"	195	" [-R address] [-S ctl_path] [-W host:port]\n"
196	" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"	196	" [-w local_tun[:remote_tun]] [-z certificate_file]\n"
		197	" [user@]hostname [command]\n"
197	);	198	);
198	exit(255);	199	exit(255);
199	}	200	}
Lines 565-571 main(int ac, char **av) Link Here
565		566
566	again:	567	again:
567	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	568	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
568	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	569	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYyz:")) != -1) {
569	switch (opt) {	570	switch (opt) {
570	case '1':	571	case '1':
571	options.protocol = SSH_PROTO_1;	572	options.protocol = SSH_PROTO_1;
Lines 879-884 main(int ac, char **av) Link Here
879	case 'F':	880	case 'F':
880	config = optarg;	881	config = optarg;
881	break;	882	break;
		883	case 'z':
		884	add_certificate_file(&options, optarg, 1);
		885	break;
882	default:	886	default:
883	usage();	887	usage();
884	}	888	}
Lines 1306-1311 main(int ac, char **av) Link Here
1306	options.identity_keys[i] = NULL;	1310	options.identity_keys[i] = NULL;
1307	}	1311	}
1308	}	1312	}
		1313	for (i = 0; i < options.num_certificate_files; i++) {
		1314	free(options.certificate_files[i]);
		1315	options.certificate_files[i] = NULL;
		1316	}
1309		1317
1310	exit_status = compat20 ? ssh_session2() : ssh_session();	1318	exit_status = compat20 ? ssh_session2() : ssh_session();
1311	packet_close();	1319	packet_close();
Lines 1892-1916 ssh_session2(void) Link Here
1892	options.escape_char : SSH_ESCAPECHAR_NONE, id);	1900	options.escape_char : SSH_ESCAPECHAR_NONE, id);
1893	}	1901	}
1894		1902
		1903	/* Loads all IdentityFile and CertificateFile keys */
1895	static void	1904	static void
1896	load_public_identity_files(void)	1905	load_public_identity_files(void)
1897	{	1906	{
1898	char filename, cp, thishost[NI_MAXHOST];	1907	char filename, cp, thishost[NI_MAXHOST];
1899	char pwdir = NULL, pwname = NULL;	1908	char pwdir = NULL, pwname = NULL;
1900	int i = 0;
1901	Key *public;	1909	Key *public;
1902	struct passwd *pw;	1910	struct passwd *pw;
1903	u_int n_ids;	1911	int i;
		1912	u_int n_ids, n_certs;
1904	char *identity_files[SSH_MAX_IDENTITY_FILES];	1913	char *identity_files[SSH_MAX_IDENTITY_FILES];
1905	Key *identity_keys[SSH_MAX_IDENTITY_FILES];	1914	Key *identity_keys[SSH_MAX_IDENTITY_FILES];
		1915	char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
		1916	struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
1906	#ifdef ENABLE_PKCS11	1917	#ifdef ENABLE_PKCS11
1907	Key **keys;	1918	Key **keys;
1908	int nkeys;	1919	int nkeys;
1909	#endif /* PKCS11 */	1920	#endif /* PKCS11 */
1910		1921
1911	n_ids = 0;	1922	n_ids = n_certs = 0;
1912	memset(identity_files, 0, sizeof(identity_files));	1923	memset(identity_files, 0, sizeof(identity_files));
1913	memset(identity_keys, 0, sizeof(identity_keys));	1924	memset(identity_keys, 0, sizeof(identity_keys));
		1925	memset(certificate_files, 0, sizeof(certificate_files));
		1926	memset(certificates, 0, sizeof(certificates));
1914		1927
1915	#ifdef ENABLE_PKCS11	1928	#ifdef ENABLE_PKCS11
1916	if (options.pkcs11_provider != NULL &&	1929	if (options.pkcs11_provider != NULL &&
Lines 1942-1947 load_public_identity_files(void) Link Here
1942	if (n_ids >= SSH_MAX_IDENTITY_FILES \|\|	1955	if (n_ids >= SSH_MAX_IDENTITY_FILES \|\|
1943	strcasecmp(options.identity_files[i], "none") == 0) {	1956	strcasecmp(options.identity_files[i], "none") == 0) {
1944	free(options.identity_files[i]);	1957	free(options.identity_files[i]);
		1958	options.identity_files[i] = NULL;
1945	continue;	1959	continue;
1946	}	1960	}
1947	cp = tilde_expand_filename(options.identity_files[i],	1961	cp = tilde_expand_filename(options.identity_files[i],
Lines 1960-1966 load_public_identity_files(void) Link Here
1960	if (++n_ids >= SSH_MAX_IDENTITY_FILES)	1974	if (++n_ids >= SSH_MAX_IDENTITY_FILES)
1961	continue;	1975	continue;
1962		1976
1963	/* Try to add the certificate variant too */	1977	/*
		1978	* If no certificates have been explicitly listed then try
		1979	* to add the default certificate variant too.
		1980	*/
		1981	if (options.num_certificate_files != 0)
		1982	continue;
1964	xasprintf(&cp, "%s-cert", filename);	1983	xasprintf(&cp, "%s-cert", filename);
1965	public = key_load_public(cp, NULL);	1984	public = key_load_public(cp, NULL);
1966	debug("identity file %s type %d", cp,	1985	debug("identity file %s type %d", cp,
Lines 1977-1990 load_public_identity_files(void) Link Here
1977	continue;	1996	continue;
1978	}	1997	}
1979	identity_keys[n_ids] = public;	1998	identity_keys[n_ids] = public;
1980	/* point to the original path, most likely the private key */	1999	identity_files[n_ids] = cp;
1981	identity_files[n_ids] = xstrdup(filename);
1982	n_ids++;	2000	n_ids++;
1983	}	2001	}
		2002
		2003	if (options.num_certificate_files > SSH_MAX_CERTIFICATE_FILES)
		2004	fatal("%s: too many certificates", __func__);
		2005	for (i = 0; i < options.num_certificate_files; i++) {
		2006	cp = tilde_expand_filename(options.certificate_files[i],
		2007	original_real_uid);
		2008	filename = percent_expand(cp, "d", pwdir,
		2009	"u", pwname, "l", thishost, "h", host,
		2010	"r", options.user, (char *)NULL);
		2011	free(cp);
		2012
		2013	public = key_load_public(filename, NULL);
		2014	debug("certificate file %s type %d", filename,
		2015	public ? public->type : -1);
		2016	free(options.certificate_files[i]);
		2017	options.certificate_files[i] = NULL;
		2018	if (public == NULL) {
		2019	free(filename);
		2020	continue;
		2021	}
		2022	if (!key_is_cert(public)) {
		2023	debug("%s: key %s type %s is not a certificate",
		2024	__func__, filename, key_type(public));
		2025	key_free(public);
		2026	free(filename);
		2027	continue;
		2028	}
		2029	certificate_files[n_certs] = filename;
		2030	certificates[n_certs] = public;
		2031	++n_certs;
		2032	}
		2033
1984	options.num_identity_files = n_ids;	2034	options.num_identity_files = n_ids;
1985	memcpy(options.identity_files, identity_files, sizeof(identity_files));	2035	memcpy(options.identity_files, identity_files, sizeof(identity_files));
1986	memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));	2036	memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));
1987		2037
		2038	options.num_certificate_files = n_certs;
		2039	memcpy(options.certificate_files,
		2040	certificate_files, sizeof(certificate_files));
		2041	memcpy(options.certificates, certificates, sizeof(certificates));
		2042
1988	explicit_bzero(pwname, strlen(pwname));	2043	explicit_bzero(pwname, strlen(pwname));
1989	free(pwname);	2044	free(pwname);
1990	explicit_bzero(pwdir, strlen(pwdir));	2045	explicit_bzero(pwdir, strlen(pwdir));

Lines 19-24 Link Here

(-)a/ssh.h (+6 lines)
19	#define SSH_DEFAULT_PORT 22	19	#define SSH_DEFAULT_PORT 22
20		20
21	/*	21	/*
		22	* Maximum number of certificate files that can be specified
		23	* in configuration files or on the command line.
		24	*/
		25	#define SSH_MAX_CERTIFICATE_FILES 100
		26
		27	/*
22	* Maximum number of RSA authentication identity files that can be specified	28	* Maximum number of RSA authentication identity files that can be specified
23	* in configuration files or on the command line.	29	* in configuration files or on the command line.
24	*/	30	*/




or
.Dq *.c.example.com
domains.
.It Cm CertificateFile
Specifies a file from which the user's certificate is read.
A corresponding private key must be provided separately in order
to use this certificate either
from an
.Cm IdentityFile
directive or
.Fl i
flag to
.Xr ssh 1 ,
via
.Xr ssh-agent 1 ,
or via a
.Cm PKCS11Provider .
.Pp
The file name may use the tilde
syntax to refer to a user's home directory or one of the following
escape characters:
.Ql %d
(local user's home directory),
.Ql %u
(local user name),
.Ql %l
(local host name),
.Ql %h
(remote host name) or
.Ql %r
(remote user name).
.Pp
It is possible to have multiple certificate files specified in
configuration files; these certificates will be tried in sequence.
Multiple
.Cm CertificateFile
directives will add to the list of certificates used for
authentication.
.It Cm ChallengeResponseAuthentication
Specifies whether to use challenge-response authentication.
The argument to this keyword must be

.It Cm IdentitiesOnly
Specifies that
.Xr ssh 1
should only use the authentication identity and certificate files explicitly
configured in the
.Nm
files
or passed on the
.Xr ssh 1
command-line,
even if
.Xr ssh-agent 1
or a

will be used for authentication unless
.Cm IdentitiesOnly
is set.
If no certificates have been explicitly specified by
.Cm CertificateFile
or the
.Xr ssh 1
.Fl z
flag,
.Xr ssh 1
will try to load certificate information from the filename obtained by
appending

may be used in conjunction with
.Cm IdentitiesOnly
to select which identities in an agent are offered during authentication.
.Cm IdentityFile
may also be used in conjunction with
.Cm CertificateFile
in order to provide any certificate also needed for authentication with
the identity.
.It Cm IgnoreUnknown
Specifies a pattern-list of unknown options to be ignored if they are
encountered in configuration parsing.




sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
{
	Buffer b;
	Identity *private_id;
	u_char *blob, *signature;
	u_int bloblen;
	size_t slen;
	u_int bloblen, skip = 0;
	int matched, ret = -1, have_sig = 1;
	int have_sig = 1;
	char *fp;

	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
	    SSH_FP_DEFAULT)) == NULL)
		return 0;
	debug3("%s: %s %s", __func__, key_type(id->key), fp);
	free(fp);

	if (key_to_blob(id->key, &blob, &bloblen) == 0) {

	}
	buffer_put_string(&b, blob, bloblen);

	/*
	 * If the key is an certificate, try to find a matching private key
	 * and use it to complete the signature.
	 * If no such private key exists, return failure and continue with
	 * other methods of authentication.
	 */
	if (key_is_cert(id->key)) {
		matched = 0;
		TAILQ_FOREACH(private_id, &authctxt->keys, next) {
			if (sshkey_equal_public(id->key, private_id->key) &&
			    id->key->type != private_id->key->type) {
				id = private_id;
				matched = 1;
				break;
			}
		}
		if (matched) {
			debug2("%s: using private key \"%s\"%s for "
			    "certificate", __func__, id->filename,
			    id->agent_fd != -1 ? " from agent" : "");
		} else {
			/* XXX maybe verbose/error? */
			debug("%s: no private key for certificate "
			    "\"%s\"", __func__, id->filename);
			free(blob);
			buffer_free(&b);
			return 0;
		}
	}

	/* generate signature */
	ret = identity_sign(id, &signature, &slen,
	    buffer_ptr(&b), buffer_len(&b), datafellows);


/*
 * try keys in the following order:
 * 	1. certificates listed in the config file
 * 	2. other input certificates
 *	3. agent keys that are found in the config file
 *	4. other agent keys
 *	5. keys that are only listed in the config file
 */
static void
pubkey_prepare(Authctxt *authctxt)

			free(id);
		}
	}
	/* list of certificates specified by user */
	for (i = 0; i < options.num_certificate_files; i++) {
		key = options.certificates[i];
		if (!key_is_cert(key) || key->cert == NULL ||
		    key->cert->type != SSH2_CERT_TYPE_USER)
			continue;
		id = xcalloc(1, sizeof(*id));
		id->key = key;
		id->filename = xstrdup(options.certificate_files[i]);
		id->userprovided = options.certificate_file_userprovided[i];
		TAILQ_INSERT_TAIL(preferred, id, next);
	}
	/* list of keys supported by the agent */
	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
		if (r != SSH_ERR_AGENT_NOT_PRESENT)

Return to bug 2436

Lines 993-1010 static int Link Here

(-)a/sshconnect2.c (-8 / +51 lines)
993	sign_and_send_pubkey(Authctxt authctxt, Identity id)	993	sign_and_send_pubkey(Authctxt authctxt, Identity id)
994	{	994	{
995	Buffer b;	995	Buffer b;
		996	Identity *private_id;
996	u_char blob, signature;	997	u_char blob, signature;
997	u_int bloblen;
998	size_t slen;	998	size_t slen;
999	u_int skip = 0;	999	u_int bloblen, skip = 0;
1000	int ret = -1;	1000	int matched, ret = -1, have_sig = 1;
1001	int have_sig = 1;
1002	char *fp;	1001	char *fp;
1003		1002
1004	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,	1003	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
1005	SSH_FP_DEFAULT)) == NULL)	1004	SSH_FP_DEFAULT)) == NULL)
1006	return 0;	1005	return 0;
1007	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);	1006	debug3("%s: %s %s", __func__, key_type(id->key), fp);
1008	free(fp);	1007	free(fp);
1009		1008
1010	if (key_to_blob(id->key, &blob, &bloblen) == 0) {	1009	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
Lines 1036-1041 sign_and_send_pubkey(Authctxt authctxt, Identity id) Link Here
1036	}	1035	}
1037	buffer_put_string(&b, blob, bloblen);	1036	buffer_put_string(&b, blob, bloblen);
1038		1037
		1038	/*
		1039	* If the key is an certificate, try to find a matching private key
		1040	* and use it to complete the signature.
		1041	* If no such private key exists, return failure and continue with
		1042	* other methods of authentication.
		1043	*/
		1044	if (key_is_cert(id->key)) {
		1045	matched = 0;
		1046	TAILQ_FOREACH(private_id, &authctxt->keys, next) {
		1047	if (sshkey_equal_public(id->key, private_id->key) &&
		1048	id->key->type != private_id->key->type) {
		1049	id = private_id;
		1050	matched = 1;
		1051	break;
		1052	}
		1053	}
		1054	if (matched) {
		1055	debug2("%s: using private key \"%s\"%s for "
		1056	"certificate", __func__, id->filename,
		1057	id->agent_fd != -1 ? " from agent" : "");
		1058	} else {
		1059	/* XXX maybe verbose/error? */
		1060	debug("%s: no private key for certificate "
		1061	"\"%s\"", __func__, id->filename);
		1062	free(blob);
		1063	buffer_free(&b);
		1064	return 0;
		1065	}
		1066	}
		1067
1039	/* generate signature */	1068	/* generate signature */
1040	ret = identity_sign(id, &signature, &slen,	1069	ret = identity_sign(id, &signature, &slen,
1041	buffer_ptr(&b), buffer_len(&b), datafellows);	1070	buffer_ptr(&b), buffer_len(&b), datafellows);
Lines 1172-1180 load_identity_file(char *filename, int userprovided) Link Here
1172		1201
1173	/*	1202	/*
1174	* try keys in the following order:	1203	* try keys in the following order:
1175	* 1. agent keys that are found in the config file	1204	* 1. certificates listed in the config file
1176	* 2. other agent keys	1205	* 2. other input certificates
1177	* 3. keys that are only listed in the config file	1206	* 3. agent keys that are found in the config file
		1207	* 4. other agent keys
		1208	* 5. keys that are only listed in the config file
1178	*/	1209	*/
1179	static void	1210	static void
1180	pubkey_prepare(Authctxt *authctxt)	1211	pubkey_prepare(Authctxt *authctxt)
Lines 1228-1233 pubkey_prepare(Authctxt *authctxt) Link Here
1228	free(id);	1259	free(id);
1229	}	1260	}
1230	}	1261	}
		1262	/* list of certificates specified by user */
		1263	for (i = 0; i < options.num_certificate_files; i++) {
		1264	key = options.certificates[i];
		1265	if (!key_is_cert(key) \|\| key->cert == NULL \|\|
		1266	key->cert->type != SSH2_CERT_TYPE_USER)
		1267	continue;
		1268	id = xcalloc(1, sizeof(*id));
		1269	id->key = key;
		1270	id->filename = xstrdup(options.certificate_files[i]);
		1271	id->userprovided = options.certificate_file_userprovided[i];
		1272	TAILQ_INSERT_TAIL(preferred, id, next);
		1273	}
1231	/* list of keys supported by the agent */	1274	/* list of keys supported by the agent */
1232	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {	1275	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
1233	if (r != SSH_ERR_AGENT_NOT_PRESENT)	1276	if (r != SSH_ERR_AGENT_NOT_PRESENT)

Lines 124-129 typedef enum { Link Here

(-)a/readconf.c (+45 lines)
124	oPasswordAuthentication, oRSAAuthentication,	124	oPasswordAuthentication, oRSAAuthentication,
125	oChallengeResponseAuthentication, oXAuthLocation,	125	oChallengeResponseAuthentication, oXAuthLocation,
126	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,	126	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
		127	oCertificateFile,
127	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,	128	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
128	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,	129	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
129	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,	130	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
Lines 191-196 static struct { Link Here
191	{ "identityfile", oIdentityFile },	192	{ "identityfile", oIdentityFile },
192	{ "identityfile2", oIdentityFile }, /* obsolete */	193	{ "identityfile2", oIdentityFile }, /* obsolete */
193	{ "identitiesonly", oIdentitiesOnly },	194	{ "identitiesonly", oIdentitiesOnly },
		195	{ "certificatefile", oCertificateFile },
194	{ "hostname", oHostName },	196	{ "hostname", oHostName },
195	{ "hostkeyalias", oHostKeyAlias },	197	{ "hostkeyalias", oHostKeyAlias },
196	{ "proxycommand", oProxyCommand },	198	{ "proxycommand", oProxyCommand },
Lines 354-359 clear_forwardings(Options *options) Link Here
354	}	356	}
355		357
356	void	358	void
		359	add_certificate_file(Options options, const char path, int userprovided)
		360	{
		361	int i;
		362
		363	if (options->num_certificate_files >= SSH_MAX_CERTIFICATE_FILES)
		364	fatal("Too many certificate files specified (max %d)",
		365	SSH_MAX_CERTIFICATE_FILES);
		366
		367	/* Avoid registering duplicates */
		368	for (i = 0; i < options->num_certificate_files; i++) {
		369	if (options->certificate_file_userprovided[i] == userprovided &&
		370	strcmp(options->certificate_files[i], path) == 0) {
		371	debug2("%s: ignoring duplicate key %s", __func__, path);
		372	return;
		373	}
		374	}
		375
		376	options->certificate_file_userprovided[options->num_certificate_files] =
		377	userprovided;
		378	options->certificate_files[options->num_certificate_files++] =
		379	xstrdup(path);
		380	}
		381
		382	void
357	add_identity_file(Options options, const char dir, const char *filename,	383	add_identity_file(Options options, const char dir, const char *filename,
358	int userprovided)	384	int userprovided)
359	{	385	{
Lines 969-974 parse_time: Link Here
969	}	995	}
970	break;	996	break;
971		997
		998	case oCertificateFile:
		999	arg = strdelim(&s);
		1000	if (!arg \|\| *arg == '\0')
		1001	fatal("%.200s line %d: Missing argument.",
		1002	filename, linenum);
		1003	if (*activep) {
		1004	intptr = &options->num_certificate_files;
		1005	if (*intptr >= SSH_MAX_CERTIFICATE_FILES) {
		1006	fatal("%.200s line %d: Too many certificate "
		1007	"files specified (max %d).",
		1008	filename, linenum,
		1009	SSH_MAX_CERTIFICATE_FILES);
		1010	}
		1011	add_certificate_file(options, arg,
		1012	flags & SSHCONF_USERCONF);
		1013	}
		1014	break;
		1015
972	case oXAuthLocation:	1016	case oXAuthLocation:
973	charptr=&options->xauth_location;	1017	charptr=&options->xauth_location;
974	goto parse_string;	1018	goto parse_string;
Lines 1613-1618 initialize_options(Options * options) Link Here
1613	options->hostkeyalgorithms = NULL;	1657	options->hostkeyalgorithms = NULL;
1614	options->protocol = SSH_PROTO_UNKNOWN;	1658	options->protocol = SSH_PROTO_UNKNOWN;
1615	options->num_identity_files = 0;	1659	options->num_identity_files = 0;
		1660	options->num_certificate_files = 0;
1616	options->hostname = NULL;	1661	options->hostname = NULL;
1617	options->host_key_alias = NULL;	1662	options->host_key_alias = NULL;
1618	options->proxy_command = NULL;	1663	options->proxy_command = NULL;

Lines 325-330 to be canonicalized to names in the Link Here

(-)a/ssh_config.5 (-2 / +52 lines)
325	or	325	or
326	.Dq *.c.example.com	326	.Dq *.c.example.com
327	domains.	327	domains.
		328	.It Cm CertificateFile
		329	Specifies a file from which the user's certificate is read.
		330	A corresponding private key must be provided separately in order
		331	to use this certificate either
		332	from an
		333	.Cm IdentityFile
		334	directive or
		335	.Fl i
		336	flag to
		337	.Xr ssh 1 ,
		338	via
		339	.Xr ssh-agent 1 ,
		340	or via a
		341	.Cm PKCS11Provider .
		342	.Pp
		343	The file name may use the tilde
		344	syntax to refer to a user's home directory or one of the following
		345	escape characters:
		346	.Ql %d
		347	(local user's home directory),
		348	.Ql %u
		349	(local user name),
		350	.Ql %l
		351	(local host name),
		352	.Ql %h
		353	(remote host name) or
		354	.Ql %r
		355	(remote user name).
		356	.Pp
		357	It is possible to have multiple certificate files specified in
		358	configuration files; these certificates will be tried in sequence.
		359	Multiple
		360	.Cm CertificateFile
		361	directives will add to the list of certificates used for
		362	authentication.
328	.It Cm ChallengeResponseAuthentication	363	.It Cm ChallengeResponseAuthentication
329	Specifies whether to use challenge-response authentication.	364	Specifies whether to use challenge-response authentication.
330	The argument to this keyword must be	365	The argument to this keyword must be
Lines 868-876 specifications). Link Here
868	.It Cm IdentitiesOnly	903	.It Cm IdentitiesOnly
869	Specifies that	904	Specifies that
870	.Xr ssh 1	905	.Xr ssh 1
871	should only use the authentication identity files configured in the	906	should only use the authentication identity and certificate files explicitly
		907	configured in the
872	.Nm	908	.Nm
873	files,	909	files
		910	or passed on the
		911	.Xr ssh 1
		912	command-line,
874	even if	913	even if
875	.Xr ssh-agent 1	914	.Xr ssh-agent 1
876	or a	915	or a
Lines 900-905 Additionally, any identities represented by the authentication agent Link Here
900	will be used for authentication unless	939	will be used for authentication unless
901	.Cm IdentitiesOnly	940	.Cm IdentitiesOnly
902	is set.	941	is set.
		942	If no certificates have been explicitly specified by
		943	.Cm CertificateFile
		944	or the
		945	.Xr ssh 1
		946	.Fl z
		947	flag,
903	.Xr ssh 1	948	.Xr ssh 1
904	will try to load certificate information from the filename obtained by	949	will try to load certificate information from the filename obtained by
905	appending	950	appending
Lines 933-938 differs from that of other configuration directives). Link Here
933	may be used in conjunction with	978	may be used in conjunction with
934	.Cm IdentitiesOnly	979	.Cm IdentitiesOnly
935	to select which identities in an agent are offered during authentication.	980	to select which identities in an agent are offered during authentication.
		981	.Cm IdentityFile
		982	may also be used in conjunction with
		983	.Cm CertificateFile
		984	in order to provide any certificate also needed for authentication with
		985	the identity.
936	.It Cm IgnoreUnknown	986	.It Cm IgnoreUnknown
937	Specifies a pattern-list of unknown options to be ignored if they are	987	Specifies a pattern-list of unknown options to be ignored if they are
938	encountered in configuration parsing.	988	encountered in configuration parsing.