From nobody Fri Jul 21 16:36:52 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R6wF05xMkz4dX6X; Fri, 21 Jul 2023 16:36:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R6wF05W9Cz4kqL; Fri, 21 Jul 2023 16:36:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689957412; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E2t7R/uumZ2+dp8VBlwnUSU55JkN7IQLbiEbq7uxe4A=; b=WBZzo8yKLRVPlZwAwEYeJN9/nx7pIcY6vmwJV08VGeDEVT/FpJRnfGHp+4mCSptB7IR6By 04L78C6d5Y013Ug0IJpc9IChkUBv//jdhayTl0gtqAhdKiXFSAtmdUxU2Qk/8SabZBfe8Q JDUmz6V0ypvcfFVpYbmZSQT786dS4mGwSkZ5t76e1+f4TSRGtRY6fX4IjUXderhiWc3InC YrGF2yY0/vZ+guciiHlQNuez21KmCl+S+aDtV1X5ARf52DPJ/r3SyNMurjpjgEQBFPJX/k juBGuHhPU/gRAuxv6wCNtaCOhYFgxsREPxkgbWKszruxrfxVmXFZyiHRiz74xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689957412; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E2t7R/uumZ2+dp8VBlwnUSU55JkN7IQLbiEbq7uxe4A=; b=YdX/Z8gCJFfYPqAQUUF362g6nGBIsZWXjsR9L0OY9KDkrpdAtJwKjAqVVtmZPPjmSbulf8 AdV3Ek4TwEsmv1wSYQADTNsYN+PmrtcgaaNkTA/u9bLl2gcpzqgrcnammdMJ3PHQ+j3EMV vCA4Jknekqye7heXYlCZ7aKBpTBL+DArgDLdcHR1s/7jkPRR3FwjFq/zUhq+rh2xGcMSYz x4GRsctUhNBHAXqFZg2uh8j4+ZTsbcETf3mFOZsPndPG2T5AImEgiscsBr9TkYR0jKFUJB 8O/FK2XfrQiS1ztWGMf+emjzrlgQfQcEPFSGQtpZiTJc3TvBKUokRC8UJ5K2nA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689957412; a=rsa-sha256; cv=none; b=m+87yPqs4Bhvmw9DOe+SOsdcfidxG05Pc4TlL2zgZbEk03mTTIdIgwh3I1t3fTgjovNbWF 5UDmF3hvkXz887LGDAfywci0lx4x/PKEZP4ExeQV494QJmgsgGFcdO2UW56/7DTpbZPAYa mzUYJM5Mieaf7ZJk9mUwmn8RmD/ZNP0x2QpKri9zvD+QNqejP92+ZHIdEaH960Qxxyiwqt qVFtWxS4Wm5GoEMPguXKB3rTDCrFOU7pEez4lzPmxnUC3YTk+csrHgfkyVpdSilXT/Ct0k fms25DyAFIjbCZ9rlRxDLcNHJPHrIXzJ8Mt1YDL2azdE+oDA/h3456lt4QjXgA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R6wF04XBbzKZc; Fri, 21 Jul 2023 16:36:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36LGaqbP008637; Fri, 21 Jul 2023 16:36:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36LGaqd6008636; Fri, 21 Jul 2023 16:36:52 GMT (envelope-from git) Date: Fri, 21 Jul 2023 16:36:52 GMT Message-Id: <202307211636.36LGaqd6008636@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 56749f05dbfd - stable/12 - ssh: disallow loading PKCS#11 modules by default List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba Auto-Submitted: auto-generated The branch stable/12 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba commit 56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba Author: Ed Maste AuthorDate: 2023-07-19 17:02:33 +0000 Commit: Ed Maste CommitDate: 2023-07-21 16:25:51 +0000 ssh: disallow loading PKCS#11 modules by default This is the rest of the OpenSSH 9.3p2 change to address CVE-2023-38408. From the release notes: * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. Security: CVE-2023-38408 Sponsored by: The FreeBSD Foundation --- crypto/openssh/ssh-agent.1 | 22 ++++++++++++++++++++-- crypto/openssh/ssh-agent.c | 21 ++++++++++++++++++++- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index b9d28b8e103e..a0ea506bdc93 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -108,9 +108,27 @@ environment variable). .It Fl O Ar option Specify an option when starting .Nm . -Currently only one option is supported: +Currently two options are supported: +.Cm allow-remote-pkcs11 +and .Cm no-restrict-websafe . -This instructs +.Pp +The +.Cm allow-remote-pkcs11 +option allows clients of a forwarded +.Nm +to load PKCS#11 or FIDO provider libraries. +By default only local clients may perform this operation. +Note that signalling that a +.Nm +client remote is performed by +.Xr ssh 1 , +and use of other tools to forward access to the agent socket may circumvent +this restriction. +.Pp +The +.Cm no-restrict-websafe , +instructs .Nm to permit signatures using FIDO keys that might be web authentication requests. diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 9f376f83a798..0e218390a21c 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -172,6 +172,12 @@ char socket_dir[PATH_MAX]; /* Pattern-list of allowed PKCS#11/Security key paths */ static char *allowed_providers; +/* + * Allows PKCS11 providers or SK keys that use non-internal providers to + * be added over a remote connection (identified by session-bind@openssh.com). + */ +static int remote_add_provider; + /* locking */ #define LOCK_SIZE 32 #define LOCK_SALT_SIZE 16 @@ -1249,6 +1255,12 @@ process_add_identity(SocketEntry *e) if (strcasecmp(sk_provider, "internal") == 0) { debug_f("internal provider"); } else { + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed add of SK provider \"%.100s\": " + "remote addition of providers is disabled", + sk_provider); + goto out; + } if (realpath(sk_provider, canonical_provider) == NULL) { verbose("failed provider \"%.100s\": " "realpath: %s", sk_provider, @@ -1412,6 +1424,11 @@ process_add_smartcard_key(SocketEntry *e) error_f("failed to parse constraints"); goto send; } + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); + goto send; + } if (realpath(provider, canonical_provider) == NULL) { verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", provider, strerror(errno)); @@ -2077,7 +2094,9 @@ main(int ac, char **av) break; case 'O': if (strcmp(optarg, "no-restrict-websafe") == 0) - restrict_websafe = 0; + restrict_websafe = 0; + else if (strcmp(optarg, "allow-remote-pkcs11") == 0) + remote_add_provider = 1; else fatal("Unknown -O option"); break;