artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f03a4fa) | patch
Disallow remote addition of FIDO/PKCS11 provider libraries to
authordjm <djm@openbsd.org>
Wed, 19 Jul 2023 13:56:33 +0000 (13:56 +0000)
committerdjm <djm@openbsd.org>
Wed, 19 Jul 2023 13:56:33 +0000 (13:56 +0000)
commit7bc29a9d5cd697290aa056e94ecee6253d3425f8
tree2032b683c1f358de7c32c065197add6589e94fdatree | snapshot
parentf03a4faa55c4ce0818324701dadbf91988d7351dcommit | diff
Disallow remote addition of FIDO/PKCS11 provider libraries to
ssh-agent by default.

The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.

Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.

ok markus@
usr.bin/ssh/ssh-agent.1 diff | blob | history
usr.bin/ssh/ssh-agent.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim