Bugzilla – Attachment 3683 Details for
Bug 3355
no-touch-required flag not restored from hardware token
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ssh-add: support -O no-touch-required with -K
bz3355-ssh-add.diff (text/plain), 2.95 KB, created by
Damien Miller
on 2023-03-14 18:19:12 AEDT
(
hide
)
Description:
ssh-add: support -O no-touch-required with -K
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2023-03-14 18:19:12 AEDT
Size:
2.95 KB
patch
obsolete
>diff --git a/ssh-add.1 b/ssh-add.1 >index 4601f5981..37b20dece 100644 >--- a/ssh-add.1 >+++ b/ssh-add.1 >@@ -44,6 +44,7 @@ > .Sh SYNOPSIS > .Nm ssh-add > .Op Fl cDdKkLlqvXx >+.Op Fl O Ar option > .Op Fl E Ar fingerprint_hash > .Op Fl H Ar hostkey_file > .Op Fl h Ar destination_constraint >@@ -219,6 +220,19 @@ Lists public key parameters of all identities currently represented > by the agent. > .It Fl l > Lists fingerprints of all identities currently represented by the agent. >+.It Fl O Ar option >+Specify a key/value option. >+These are specific to the operation that >+.Nm >+has been requested to perform. >+.Pp >+At present only a single option >+.Dq no-touch-required >+is supported, which causes resident keys downloaded from FIDO tokens >+using the >+.Fl K >+option to not require touch events (user presence) when making signatures. >+.Pp > .It Fl q > Be quiet after a successful operation. > .It Fl S Ar provider >diff --git a/ssh-add.c b/ssh-add.c >index 752b86dfc..cff96ad3d 100644 >--- a/ssh-add.c >+++ b/ssh-add.c >@@ -581,7 +581,7 @@ lock_agent(int agent_fd, int lock) > } > > static int >-load_resident_keys(int agent_fd, const char *skprovider, int qflag, >+load_resident_keys(int agent_fd, const char *skprovider, int qflag, int notouch, > struct dest_constraint **dest_constraints, size_t ndest_constraints) > { > struct sshsk_resident_key **srks; >@@ -598,6 +598,8 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag, > } > for (i = 0; i < nsrks; i++) { > key = srks[i]->key; >+ if (notouch) >+ key->sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; > if ((fp = sshkey_fingerprint(key, > fingerprint_hash, SSH_FP_DEFAULT)) == NULL) > fatal_f("sshkey_fingerprint failed"); >@@ -792,6 +794,7 @@ main(int argc, char **argv) > char **dest_constraint_strings = NULL, **hostkey_files = NULL; > int r, i, ch, deleting = 0, ret = 0, key_only = 0, do_download = 0; > int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0; >+ int notouch = 0; > SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; > LogLevel log_level = SYSLOG_LEVEL_INFO; > struct dest_constraint **dest_constraints = NULL; >@@ -822,7 +825,8 @@ main(int argc, char **argv) > > skprovider = getenv("SSH_SK_PROVIDER"); > >- while ((ch = getopt(argc, argv, "vkKlLcdDTxXE:e:h:H:M:m:qs:S:t:")) != -1) { >+ while ((ch = getopt(argc, argv, >+ "e:E:h:H:m:M:O:s:S:t:cdDkKlLqTvxX")) != -1) { > switch (ch) { > case 'v': > if (log_level == SYSLOG_LEVEL_INFO) >@@ -878,6 +882,12 @@ main(int argc, char **argv) > goto done; > } > break; >+ case 'O': >+ if (strcasecmp(optarg, "no-touch-required") == 0) >+ notouch = 1; >+ else >+ fatal("unsupported -O option"); >+ break; > case 'd': > deleting = 1; > break; >@@ -970,7 +980,7 @@ main(int argc, char **argv) > if (do_download) { > if (skprovider == NULL) > fatal("Cannot download keys without provider"); >- if (load_resident_keys(agent_fd, skprovider, qflag, >+ if (load_resident_keys(agent_fd, skprovider, qflag, notouch, > dest_constraints, ndest_constraints) != 0) > ret = 1; > goto done;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3683">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3355
:
3682
| 3683