Bugzilla – Attachment 3439 Details for
Bug 2670
Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
AddKeysToAgent with interval support
bz2670.diff (text/plain), 6.37 KB, created by
Damien Miller
on 2020-08-07 14:10:20 AEST
(
hide
)
Description:
AddKeysToAgent with interval support
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2020-08-07 14:10:20 AEST
Size:
6.37 KB
patch
obsolete
>commit 9af4e03f07ede92d42b8fdd6b6d16dead4df6e49 >Author: Damien Miller <djm@mindrot.org> >Date: Mon Jul 20 19:38:40 2020 +1000 > > addkeystoagent-lifespan > >diff --git a/readconf.c b/readconf.c >index 8f92067..4db3a0a 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -863,6 +863,21 @@ static const struct multistate multistate_compression[] = { > { NULL, -1 } > }; > >+static int >+parse_multistate_value(const char *arg, const char *filename, int linenum, >+ const struct multistate *multistate_ptr) >+{ >+ int i; >+ >+ if (!arg || *arg == '\0') >+ fatal("%s line %d: missing argument.", filename, linenum); >+ for (i = 0; multistate_ptr[i].key != NULL; i++) { >+ if (strcasecmp(arg, multistate_ptr[i].key) == 0) >+ return multistate_ptr[i].value; >+ } >+ return -1; >+} >+ > /* > * Processes a single option line as used in the configuration files. This > * only sets those values that have not already been set. >@@ -986,19 +1001,11 @@ parse_time: > multistate_ptr = multistate_flag; > parse_multistate: > arg = strdelim(&s); >- if (!arg || *arg == '\0') >- fatal("%s line %d: missing argument.", >- filename, linenum); >- value = -1; >- for (i = 0; multistate_ptr[i].key != NULL; i++) { >- if (strcasecmp(arg, multistate_ptr[i].key) == 0) { >- value = multistate_ptr[i].value; >- break; >- } >- } >- if (value == -1) >+ if ((value = parse_multistate_value(arg, filename, linenum, >+ multistate_ptr)) == -1) { > fatal("%s line %d: unsupported option \"%s\".", > filename, linenum, arg); >+ } > if (*activep && *intptr == -1) > *intptr = value; > break; >@@ -1786,9 +1793,42 @@ parse_keytypes: > goto parse_keytypes; > > case oAddKeysToAgent: >- intptr = &options->add_keys_to_agent; >- multistate_ptr = multistate_yesnoaskconfirm; >- goto parse_multistate; >+ arg = strdelim(&s); >+ arg2 = strdelim(&s); >+ value = parse_multistate_value(arg, filename, linenum, >+ multistate_yesnoaskconfirm); >+ value2 = 0; /* unlimited lifespan by default */ >+ if (value == 3 && arg2 != NULL) { >+ /* allow "AddKeysToAgent confirm 5m" */ >+ if ((value2 = convtime(arg2)) == -1 || value2 > INT_MAX) >+ fatal("%s line %d: invalid time value.", >+ filename, linenum); >+ } else if (value == -1 && arg2 == NULL) { >+ if ((value2 = convtime(arg)) == -1 || value2 > INT_MAX) >+ fatal("%s line %d: unsupported option", >+ filename, linenum); >+ value = 1; /* yes */ >+ } else if (value == -1 || arg2 != NULL) { >+ fatal("%s line %d: unsupported option", >+ filename, linenum); >+ } >+ if (*activep && options->add_keys_to_agent == -1) { >+ options->add_keys_to_agent = value; >+ options->add_keys_to_agent_lifespan = value2; >+ } >+ break; >+ >+ arg = strdelim(&s); >+ if (!arg || *arg == '\0') >+ fatal("%s line %d: missing time value.", >+ filename, linenum); >+ if (strcmp(arg, "none") == 0) >+ value = -1; >+ else if ((value = convtime(arg)) == -1 || value > INT_MAX) >+ fatal("%s line %d: invalid time value.", >+ filename, linenum); >+ if (*activep && *intptr == -1) >+ *intptr = value; > > case oIdentityAgent: > charptr = &options->identity_agent; >@@ -2002,6 +2042,7 @@ initialize_options(Options * options) > options->permit_local_command = -1; > options->remote_command = NULL; > options->add_keys_to_agent = -1; >+ options->add_keys_to_agent_lifespan = -1; > options->identity_agent = NULL; > options->visual_host_key = -1; > options->ip_qos_interactive = -1; >@@ -2109,8 +2150,10 @@ fill_default_options(Options * options) > if (options->number_of_password_prompts == -1) > options->number_of_password_prompts = 3; > /* options->hostkeyalgorithms, default set in myproposals.h */ >- if (options->add_keys_to_agent == -1) >+ if (options->add_keys_to_agent == -1) { > options->add_keys_to_agent = 0; >+ options->add_keys_to_agent_lifespan = 0; >+ } > if (options->num_identity_files == 0) { > add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0); > add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); >@@ -2707,7 +2750,6 @@ dump_client_config(Options *o, const char *host) > dump_cfg_int(oPort, o->port); > > /* Flag options */ >- dump_cfg_fmtint(oAddKeysToAgent, o->add_keys_to_agent); > dump_cfg_fmtint(oAddressFamily, o->address_family); > dump_cfg_fmtint(oBatchMode, o->batch_mode); > dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local); >@@ -2795,6 +2837,15 @@ dump_client_config(Options *o, const char *host) > > /* Special cases */ > >+ /* AddKeysToAgent */ >+ if (o->add_keys_to_agent_lifespan <= 0) >+ dump_cfg_fmtint(oAddKeysToAgent, o->add_keys_to_agent); >+ else { >+ printf("addkeystoagent%s %d\n", >+ o->add_keys_to_agent == 3 ? " confirm" : "", >+ o->add_keys_to_agent_lifespan); >+ } >+ > /* oForwardAgent */ > if (o->forward_agent_sock_path == NULL) > dump_cfg_fmtint(oForwardAgent, o->forward_agent); >diff --git a/readconf.h b/readconf.h >index e143a10..a6f4a4f 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -97,6 +97,7 @@ typedef struct { > struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; > > int add_keys_to_agent; >+ int add_keys_to_agent_lifespan; > char *identity_agent; /* Optional path to ssh-agent socket */ > > /* Local TCP/IP forward requests. */ >diff --git a/ssh_config.5 b/ssh_config.5 >index 5ffc9e3..5dbd36a 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -245,13 +245,22 @@ option was specified to > If this option is set to > .Cm no , > no keys are added to the agent. >+Alternately, this option may be specified as a time interval >+using the format described in the >+.Sx TIME FORMATS >+section of >+.Xr sshd_config 5 >+to specify the key's lifetime in >+.Xr ssh-agent 1 , >+after which it will automatically be removed. > The argument must be >-.Cm yes , >-.Cm confirm , >-.Cm ask , >-or > .Cm no >-(the default). >+(the default), >+.Cm yes , >+.Cm confirm >+(optionally followed by a time interval), >+.Cm ask >+or a time interval. > .It Cm AddressFamily > Specifies which address family to use when connecting. > Valid arguments are >diff --git a/sshconnect.c b/sshconnect.c >index 3b17241..7c2b6f2 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -1395,7 +1395,8 @@ maybe_add_key_to_agent(const char *authfile, struct sshkey *private, > if (sshkey_is_sk(private)) > skprovider = options.sk_provider; > if ((r = ssh_add_identity_constrained(auth_sock, private, >- comment == NULL ? authfile : comment, 0, >+ comment == NULL ? authfile : comment, >+ options.add_keys_to_agent_lifespan, > (options.add_keys_to_agent == 3), 0, skprovider)) == 0) > debug("identity added to agent: %s", authfile); > else
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3439">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2670
:
3165
|
3188
| 3439