diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2023-07-21 15:59:09 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2023-07-21 16:08:12 +0000 |
| commit | 039d7ad8ee6b6c40044123a118b037179ac7c203 (patch) | |
| tree | e7335ce03636d0eca0064ea9d223898b63d16b18 | |
| parent | abf778208f101f57ecf402230c69222641f0a032 (diff) | |
| download | src-039d7ad8ee6b6c40044123a118b037179ac7c203.tar.gz src-039d7ad8ee6b6c40044123a118b037179ac7c203.zip | |
ssh-agent: document "-O no-restrict-websafe"
OpenSSH commits 9fd2441113fc and 4a4883664d6b, which are part of
OpenSSH 9.2p1.
Sponsored by: The FreeBSD Foundation
| -rw-r--r-- | crypto/openssh/ssh-agent.1 | 27 | ||||
| -rw-r--r-- | crypto/openssh/ssh-agent.c | 8 |
2 files changed, 29 insertions, 6 deletions
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index 8844b2eb45e8..b9d28b8e103e 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $ .\" $FreeBSD$ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: October 7 2022 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -47,11 +47,13 @@ .Op Fl \&Ddx .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Nm ssh-agent .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash +.Op Fl O Ar option .Op Fl P Ar allowed_providers .Op Fl t Ar life .Ar command Op Ar arg ... @@ -103,6 +105,27 @@ The default is Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). +.It Fl O Ar option +Specify an option when starting +.Nm . +Currently only one option is supported: +.Cm no-restrict-websafe . +This instructs +.Nm +to permit signatures using FIDO keys that might be web authentication +requests. +By default, +.Nm +refuses signature requests for FIDO keys where the key application string +does not start with +.Dq ssh: +and when the data to be signed does not appear to be a +.Xr ssh 1 +user authentication request or a +.Xr ssh-keygen 1 +signature. +The default behaviour prevents forwarded access to a FIDO key from also +implicitly forwarding the ability to authenticate to websites. .It Fl P Ar allowed_providers Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO authenticator middleware shared libraries that may be used with the diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 2c2c7a639907..9f376f83a798 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.292 2022/09/17 10:11:29 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.293 2022/10/07 06:00:58 jmc Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2015,9 +2015,9 @@ usage(void) { fprintf(stderr, "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" - " [-t life] command [arg ...]\n" + " [-O option] [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " [-P allowed_providers] [-t life] command [arg ...]\n" " ssh-agent [-c | -s] -k\n"); exit(1); } |