зеркало из https://github.com/Azure/sonic-openssh.git
upstream: prepare for use of ssh-keygen -O flag beyond certs
Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
This commit is contained in:
Родитель
20ccd85424
Коммит
1e645fe767
188
ssh-keygen.1
188
ssh-keygen.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -35,7 +35,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: December 27 2019 $
|
||||
.Dd $Mdocdate: December 30 2019 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -458,97 +458,10 @@ Please see the
|
|||
section for details.
|
||||
.It Fl O Ar option
|
||||
Specify a certificate option when signing a key.
|
||||
This option may be specified multiple times.
|
||||
See also the
|
||||
See the
|
||||
.Sx CERTIFICATES
|
||||
section for further details.
|
||||
.Pp
|
||||
At present, no standard options are valid for host keys.
|
||||
The options that are valid for user certificates are:
|
||||
.Pp
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic clear
|
||||
Clear all enabled permissions.
|
||||
This is useful for clearing the default set of permissions so permissions may
|
||||
be added individually.
|
||||
.Pp
|
||||
.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
|
||||
.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
|
||||
Includes an arbitrary certificate critical option or extension.
|
||||
The specified
|
||||
.Ar name
|
||||
should include a domain suffix, e.g.\&
|
||||
.Dq name@example.com .
|
||||
If
|
||||
.Ar contents
|
||||
is specified then it is included as the contents of the extension/option
|
||||
encoded as a string, otherwise the extension/option is created with no
|
||||
contents (usually indicating a flag).
|
||||
Extensions may be ignored by a client or server that does not recognise them,
|
||||
whereas unknown critical options will cause the certificate to be refused.
|
||||
.Pp
|
||||
.It Ic force-command Ns = Ns Ar command
|
||||
Forces the execution of
|
||||
.Ar command
|
||||
instead of any shell or command specified by the user when
|
||||
the certificate is used for authentication.
|
||||
.Pp
|
||||
.It Ic no-agent-forwarding
|
||||
Disable
|
||||
.Xr ssh-agent 1
|
||||
forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-port-forwarding
|
||||
Disable port forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-pty
|
||||
Disable PTY allocation (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-user-rc
|
||||
Disable execution of
|
||||
.Pa ~/.ssh/rc
|
||||
by
|
||||
.Xr sshd 8
|
||||
(permitted by default).
|
||||
.Pp
|
||||
.It Ic no-x11-forwarding
|
||||
Disable X11 forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic permit-agent-forwarding
|
||||
Allows
|
||||
.Xr ssh-agent 1
|
||||
forwarding.
|
||||
.Pp
|
||||
.It Ic permit-port-forwarding
|
||||
Allows port forwarding.
|
||||
.Pp
|
||||
.It Ic permit-pty
|
||||
Allows PTY allocation.
|
||||
.Pp
|
||||
.It Ic permit-user-rc
|
||||
Allows execution of
|
||||
.Pa ~/.ssh/rc
|
||||
by
|
||||
.Xr sshd 8 .
|
||||
.Pp
|
||||
.It Ic permit-X11-forwarding
|
||||
Allows X11 forwarding.
|
||||
.Pp
|
||||
.It Ic no-touch-required
|
||||
Do not require signatures made using this key require demonstration
|
||||
of user presence (e.g. by having the user touch the key).
|
||||
This option only makes sense for the FIDO authenticator algorithms
|
||||
.Cm ecdsa-sk
|
||||
and
|
||||
.Cm ed25519-sk .
|
||||
.Pp
|
||||
.It Ic source-address Ns = Ns Ar address_list
|
||||
Restrict the source addresses from which the certificate is considered valid.
|
||||
The
|
||||
.Ar address_list
|
||||
is a comma-separated list of one or more address/netmask pairs in CIDR
|
||||
format.
|
||||
.El
|
||||
section for a list of available certificate options.
|
||||
This option may be specified multiple times.
|
||||
.It Fl P Ar passphrase
|
||||
Provides the (old) passphrase.
|
||||
.It Fl p
|
||||
|
@ -899,9 +812,94 @@ be specified through certificate options.
|
|||
A certificate option may disable features of the SSH session, may be
|
||||
valid only when presented from particular source addresses or may
|
||||
force the use of a specific command.
|
||||
For a list of valid certificate options, see the documentation for the
|
||||
.Fl O
|
||||
option above.
|
||||
.Pp
|
||||
The options that are valid for user certificates are:
|
||||
.Pp
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic clear
|
||||
Clear all enabled permissions.
|
||||
This is useful for clearing the default set of permissions so permissions may
|
||||
be added individually.
|
||||
.Pp
|
||||
.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
|
||||
.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
|
||||
Includes an arbitrary certificate critical option or extension.
|
||||
The specified
|
||||
.Ar name
|
||||
should include a domain suffix, e.g.\&
|
||||
.Dq name@example.com .
|
||||
If
|
||||
.Ar contents
|
||||
is specified then it is included as the contents of the extension/option
|
||||
encoded as a string, otherwise the extension/option is created with no
|
||||
contents (usually indicating a flag).
|
||||
Extensions may be ignored by a client or server that does not recognise them,
|
||||
whereas unknown critical options will cause the certificate to be refused.
|
||||
.Pp
|
||||
.It Ic force-command Ns = Ns Ar command
|
||||
Forces the execution of
|
||||
.Ar command
|
||||
instead of any shell or command specified by the user when
|
||||
the certificate is used for authentication.
|
||||
.Pp
|
||||
.It Ic no-agent-forwarding
|
||||
Disable
|
||||
.Xr ssh-agent 1
|
||||
forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-port-forwarding
|
||||
Disable port forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-pty
|
||||
Disable PTY allocation (permitted by default).
|
||||
.Pp
|
||||
.It Ic no-user-rc
|
||||
Disable execution of
|
||||
.Pa ~/.ssh/rc
|
||||
by
|
||||
.Xr sshd 8
|
||||
(permitted by default).
|
||||
.Pp
|
||||
.It Ic no-x11-forwarding
|
||||
Disable X11 forwarding (permitted by default).
|
||||
.Pp
|
||||
.It Ic permit-agent-forwarding
|
||||
Allows
|
||||
.Xr ssh-agent 1
|
||||
forwarding.
|
||||
.Pp
|
||||
.It Ic permit-port-forwarding
|
||||
Allows port forwarding.
|
||||
.Pp
|
||||
.It Ic permit-pty
|
||||
Allows PTY allocation.
|
||||
.Pp
|
||||
.It Ic permit-user-rc
|
||||
Allows execution of
|
||||
.Pa ~/.ssh/rc
|
||||
by
|
||||
.Xr sshd 8 .
|
||||
.Pp
|
||||
.It Ic permit-X11-forwarding
|
||||
Allows X11 forwarding.
|
||||
.Pp
|
||||
.It Ic no-touch-required
|
||||
Do not require signatures made using this key require demonstration
|
||||
of user presence (e.g. by having the user touch the key).
|
||||
This option only makes sense for the Security Key algorithms
|
||||
.Cm ecdsa-sk
|
||||
and
|
||||
.Cm ed25519-sk .
|
||||
.Pp
|
||||
.It Ic source-address Ns = Ns Ar address_list
|
||||
Restrict the source addresses from which the certificate is considered valid.
|
||||
The
|
||||
.Ar address_list
|
||||
is a comma-separated list of one or more address/netmask pairs in CIDR
|
||||
format.
|
||||
.El
|
||||
.Pp
|
||||
At present, no standard options are valid for host keys.
|
||||
.Pp
|
||||
Finally, certificates may be defined with a validity lifetime.
|
||||
The
|
||||
|
|
11
ssh-keygen.c
11
ssh-keygen.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keygen.c,v 1.374 2019/12/10 22:37:20 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.375 2019/12/30 03:28:41 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -2820,7 +2820,8 @@ main(int argc, char **argv)
|
|||
int prefer_agent = 0, convert_to = 0, convert_from = 0;
|
||||
int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
|
||||
unsigned long long ull, cert_serial = 0;
|
||||
char *identity_comment = NULL, *ca_key_path = NULL;
|
||||
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
|
||||
size_t i, nopts = 0;
|
||||
u_int32_t bits = 0;
|
||||
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
|
||||
FILE *f;
|
||||
|
@ -2950,7 +2951,9 @@ main(int argc, char **argv)
|
|||
check_krl = 1;
|
||||
break;
|
||||
case 'O':
|
||||
add_cert_option(optarg);
|
||||
opts = xrecallocarray(opts, nopts, nopts + 1,
|
||||
sizeof(*opts));
|
||||
opts[nopts++] = xstrdup(optarg);
|
||||
break;
|
||||
case 'Z':
|
||||
openssh_format_cipher = optarg;
|
||||
|
@ -3184,6 +3187,8 @@ main(int argc, char **argv)
|
|||
if (ca_key_path != NULL) {
|
||||
if (cert_key_id == NULL)
|
||||
fatal("Must specify key id (-I) when certifying");
|
||||
for (i = 0; i < nopts; i++)
|
||||
add_cert_option(opts[i]);
|
||||
do_ca_sign(pw, ca_key_path, prefer_agent,
|
||||
cert_serial, cert_serial_autoinc, argc, argv);
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче