Make it possible to load certs from PKCS#11 tokens

Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.

feedback/ok markus@

modify parentheses in conditionals to make it clearer what is being
assigned and what is being checked

ok djm dtucker

include destination constraints for smartcard keys too.
Spotted by Luci Stanescu; ok deraadt@ markus@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

Add authfd path to debug output. ok markus@

ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports sessio

ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.

Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".

The first form permits a key to be used to authenticate as the
specified user to the specified host.

The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.

For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.

Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.

host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.

feedback Jann Horn & markus@
ok markus@

show more ...

ssh client side of binding

send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-

ssh client side of binding

send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.

ok markus@

show more ...

factor out common code in the agent client

Add a ssh_request_reply_decode() function that sends a message to
the agent, reads and parses a success/failure reply.
Use it for all requests that only ex

factor out common code in the agent client

Add a ssh_request_reply_decode() function that sends a message to
the agent, reads and parses a success/failure reply.
Use it for all requests that only expect success/failure

ok markus@

show more ...

whitespace; no code change

Adapt XMSS to new logging infrastructure. With markus@, ok djm@.

constify a few things; ok dtucker (as part of another diff)

ssh_fetch_identitylist() returns the return value from
ssh_request_reply() so we should also check against != 0
ok djm

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argume

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

show more ...

Allow forwarding a different agent socket to the path specified by
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
i

Allow forwarding a different agent socket to the path specified by
$SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable
in addition to yes/no.

Patch by Eric Chiang, manpage by me; ok markus@

show more ...

stdarg.h required more broadly; ok djm

enable ed25519 support; ok djm

add new agent key constraint for U2F/FIDO provider

feedback & ok markus@

authfd: add function to check if key is in agent

This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.

work by Sebastian Kinne; ok marku

authfd: add function to check if key is in agent

This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.

work by Sebastian Kinne; ok markus@

show more ...

fix memleak in ssh_free_identitylist(); ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Add protection for private keys at rest in RAM against speculation
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not i

Add protection for private keys at rest in RAM against speculation
and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and
Rambleed. This change encrypts private keys when they are not in use
with a symmetic key that is derived from a relatively large "prekey"
consisting of random data (currently 16KB).

Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.

Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.

Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.

been in snaps for a bit already; thanks deraadt@

ok dtucker@ deraadt@

show more ...

Request RSA-SHA2 signatures for rsa-sha2-{256|512}-cert-v01@openssh.com
cert algorithms; ok markus@

don't attempt to connect to empty SSH_AUTH_SOCK; bz#293

replace cast with call to sshbuf_mutable_ptr(); ok djm@

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ens

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

show more ...