git: 56749f05dbfd - stable/12 - ssh: disallow loading PKCS#11 modules by default
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 21 Jul 2023 16:36:52 UTC
The branch stable/12 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba
commit 56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-07-19 17:02:33 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-21 16:25:51 +0000
ssh: disallow loading PKCS#11 modules by default
This is the rest of the OpenSSH 9.3p2 change to address CVE-2023-38408.
From the release notes:
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Security: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
---
crypto/openssh/ssh-agent.1 | 22 ++++++++++++++++++++--
crypto/openssh/ssh-agent.c | 21 ++++++++++++++++++++-
2 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index b9d28b8e103e..a0ea506bdc93 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -108,9 +108,27 @@ environment variable).
.It Fl O Ar option
Specify an option when starting
.Nm .
-Currently only one option is supported:
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
.Cm no-restrict-websafe .
-This instructs
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
.Nm
to permit signatures using FIDO keys that might be web authentication
requests.
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 9f376f83a798..0e218390a21c 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -172,6 +172,12 @@ char socket_dir[PATH_MAX];
/* Pattern-list of allowed PKCS#11/Security key paths */
static char *allowed_providers;
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
/* locking */
#define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16
@@ -1249,6 +1255,12 @@ process_add_identity(SocketEntry *e)
if (strcasecmp(sk_provider, "internal") == 0) {
debug_f("internal provider");
} else {
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed add of SK provider \"%.100s\": "
+ "remote addition of providers is disabled",
+ sk_provider);
+ goto out;
+ }
if (realpath(sk_provider, canonical_provider) == NULL) {
verbose("failed provider \"%.100s\": "
"realpath: %s", sk_provider,
@@ -1412,6 +1424,11 @@ process_add_smartcard_key(SocketEntry *e)
error_f("failed to parse constraints");
goto send;
}
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+ "providers is disabled", provider);
+ goto send;
+ }
if (realpath(provider, canonical_provider) == NULL) {
verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
provider, strerror(errno));
@@ -2077,7 +2094,9 @@ main(int ac, char **av)
break;
case 'O':
if (strcmp(optarg, "no-restrict-websafe") == 0)
- restrict_websafe = 0;
+ restrict_websafe = 0;
+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+ remote_add_provider = 1;
else
fatal("Unknown -O option");
break;