git: 039d7ad8ee6b - stable/12 - ssh-agent: document "-O no-restrict-websafe"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 21 Jul 2023 16:15:55 UTC
The branch stable/12 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=039d7ad8ee6b6c40044123a118b037179ac7c203
commit 039d7ad8ee6b6c40044123a118b037179ac7c203
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-07-21 15:59:09 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-21 16:08:12 +0000
ssh-agent: document "-O no-restrict-websafe"
OpenSSH commits 9fd2441113fc and 4a4883664d6b, which are part of
OpenSSH 9.2p1.
Sponsored by: The FreeBSD Foundation
---
crypto/openssh/ssh-agent.1 | 27 +++++++++++++++++++++++++--
crypto/openssh/ssh-agent.c | 8 ++++----
2 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index 8844b2eb45e8..b9d28b8e103e 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: October 7 2022 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -47,11 +47,13 @@
.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Nm ssh-agent
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
+.Op Fl O Ar option
.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Ar command Op Ar arg ...
@@ -103,6 +105,27 @@ The default is
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
+.It Fl O Ar option
+Specify an option when starting
+.Nm .
+Currently only one option is supported:
+.Cm no-restrict-websafe .
+This instructs
+.Nm
+to permit signatures using FIDO keys that might be web authentication
+requests.
+By default,
+.Nm
+refuses signature requests for FIDO keys where the key application string
+does not start with
+.Dq ssh:
+and when the data to be signed does not appear to be a
+.Xr ssh 1
+user authentication request or a
+.Xr ssh-keygen 1
+signature.
+The default behaviour prevents forwarded access to a FIDO key from also
+implicitly forwarding the ability to authenticate to websites.
.It Fl P Ar allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
authenticator middleware shared libraries that may be used with the
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 2c2c7a639907..9f376f83a798 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.292 2022/09/17 10:11:29 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.293 2022/10/07 06:00:58 jmc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2015,9 +2015,9 @@ usage(void)
{
fprintf(stderr,
"usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- " [-P allowed_providers] [-t life]\n"
- " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
- " [-t life] command [arg ...]\n"
+ " [-O option] [-P allowed_providers] [-t life]\n"
+ " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
+ " [-P allowed_providers] [-t life] command [arg ...]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
}