From 5c06b89189eb27f692b900526d60bf744918511e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Jul 2023 13:30:15 +1000 Subject: disallow remote addition of FIDO/PKCS11 keys Depends on the local client performing the session-bind@openssh.com operation, so non-OpenSSH local client may circumvent this. Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d Last-Update: 2023-09-17 Patch-Name: CVE-2023-38408-2.patch --- ssh-agent.1 | 22 ++++++++++++++++++++-- ssh-agent.c | 21 ++++++++++++++++++++- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/ssh-agent.1 b/ssh-agent.1 index ba418bb41..0e5b6c15c 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -107,9 +107,27 @@ environment variable). .It Fl O Ar option Specify an option when starting .Nm . -Currently only one option is supported: +Currently two options are supported: +.Cm allow-remote-pkcs11 +and .Cm no-restrict-websafe . -This instructs +.Pp +The +.Cm allow-remote-pkcs11 +option allows clients of a forwarded +.Nm +to load PKCS#11 or FIDO provider libraries. +By default only local clients may perform this operation. +Note that signalling that a +.Nm +client remote is performed by +.Xr ssh 1 , +and use of other tools to forward access to the agent socket may circumvent +this restriction. +.Pp +The +.Cm no-restrict-websafe , +instructs .Nm to permit signatures using FIDO keys that might be web authentication requests. diff --git a/ssh-agent.c b/ssh-agent.c index 63e1137bc..dce2849d8 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -170,6 +170,12 @@ char socket_dir[PATH_MAX]; /* Pattern-list of allowed PKCS#11/Security key paths */ static char *allowed_providers; +/* + * Allows PKCS11 providers or SK keys that use non-internal providers to + * be added over a remote connection (identified by session-bind@openssh.com). + */ +static int remote_add_provider; + /* locking */ #define LOCK_SIZE 32 #define LOCK_SALT_SIZE 16 @@ -1229,6 +1235,12 @@ process_add_identity(SocketEntry *e) if (strcasecmp(sk_provider, "internal") == 0) { debug_f("internal provider"); } else { + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed add of SK provider \"%.100s\": " + "remote addition of providers is disabled", + sk_provider); + goto out; + } if (realpath(sk_provider, canonical_provider) == NULL) { verbose("failed provider \"%.100s\": " "realpath: %s", sk_provider, @@ -1392,6 +1404,11 @@ process_add_smartcard_key(SocketEntry *e) error_f("failed to parse constraints"); goto send; } + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); + goto send; + } if (realpath(provider, canonical_provider) == NULL) { verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", provider, strerror(errno)); @@ -2052,7 +2069,9 @@ main(int ac, char **av) break; case 'O': if (strcmp(optarg, "no-restrict-websafe") == 0) - restrict_websafe = 0; + restrict_websafe = 0; + else if (strcmp(optarg, "allow-remote-pkcs11") == 0) + remote_add_provider = 1; else fatal("Unknown -O option"); break;