Hello,
In testing security key support in OpenSSH 8.2, I had some trouble making the
?no-touch-required? option in the authorized_keys file work in conjunction with
OpenSSH certificates. I think I?ve figured it out, but I think there may be a
bug in ssh-keygen related to this.
To make ?no-touch-required? work with certificates, I actually had to do three
things:
Generate the security key with touch disabled
Add ?no-touch-required? as an extension when generating the certificate for this
key
Add ?no-touch-required? (along with ?cert-authority?) in the authorized key
entry on the server for the CA which signed the certificate
I would have expected that trusting a CA in authorized_keys along with the
certificate having ?no-touch-required? set to be enough to accept the key,
without having to further override that explicitly in the authorized_keys entry.
However, I can accept that you might want extra confirmation on the server that
this certificate option should be trusted. Alternately, once that option was set
in authorized_keys, I would have expected keys which don?t require presence to
be accepted even without the certificate ?no-touch-required? being set, similar
to the non-certificate case.
Is that the intended behavior, to reject keys without presence unless BOTH
options are set (in addition to the key itself not requiring presence)?
The other issue I ran across is that specifying ?-O no-touch-required? when
generating the certificate didn?t work, despite that being documented in the man
page. It appears that ssh-keygen treats this keyword as an unknown ?critical?
value, rather than an ?extension?. So, the generated certificate ended up
looking something like:
Critical Options:
no-touch-required UNKNOWN OPTION (len 0)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
To get it to be an extension, I had to use ?-O extension:no-touch-required? as
the option to ssh-keygen. Then, I saw:
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
no-touch-required
I?m guessing this is not the intended behavior, and that ?no-touch-required?
should have been recognized as an extension without the ?extension:? prefix,
just like the other options such as ?no-agent-forwarding?.
--
Ron Frederick
ronf at timeheart.net
On Mon, 17 Feb 2020, Ron Frederick wrote:> The other issue I ran across is that specifying ?-O no-touch-required? > when generating the certificate didn?t work, despite that being > documented in the man page. It appears that ssh-keygen treats this > keyword as an unknown ?critical? value, rather than an ?extension?. > So, the generated certificate ended up looking something like: > > Critical Options: > no-touch-required UNKNOWN OPTION (len 0)This should fix that problem. I'll take a look at the others separately. Index: ssh-keygen.c ==================================================================RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.398 diff -u -p -r1.398 ssh-keygen.c --- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398 +++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000 @@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_CRITICAL) != 0 && + if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) add_flag_option(c, "no-touch-required"); if ((which & OPTIONS_CRITICAL) != 0 &&
On Feb 17, 2020, at 9:43 PM, Damien Miller <djm at mindrot.org> wrote:> On Mon, 17 Feb 2020, Ron Frederick wrote: >> The other issue I ran across is that specifying ?-O no-touch-required? >> when generating the certificate didn?t work, despite that being >> documented in the man page. It appears that ssh-keygen treats this >> keyword as an unknown ?critical? value, rather than an ?extension?. >> So, the generated certificate ended up looking something like: >> >> Critical Options: >> no-touch-required UNKNOWN OPTION (len 0) > > This should fix that problem. I'll take a look at the others separately. > > > Index: ssh-keygen.c > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.398 > diff -u -p -r1.398 ssh-keygen.c > --- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398 > +++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000 > @@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in > if ((which & OPTIONS_EXTENSIONS) != 0 && > (certflags_flags & CERTOPT_USER_RC) != 0) > add_flag_option(c, "permit-user-rc"); > - if ((which & OPTIONS_CRITICAL) != 0 && > + if ((which & OPTIONS_EXTENSIONS) != 0 && > (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) > add_flag_option(c, "no-touch-required"); > if ((which & OPTIONS_CRITICAL) != 0 &&Thanks - that does indeed seem to fix the problem of needing to add ?extension:? explicitly. -- Ron Frederick ronf at timeheart.net