From 98b8c518fa0be65bac90e2d47388d0914f98c50f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 18 Apr 2023 09:04:27 +0200 Subject: [PATCH] ssh: Allow to prefer on-disk keys over active card keys. * agent/command-ssh.c (ssh_send_available_keys): Redefine the order of keys. -- GnuPG-bug-id: 6212 --- NEWS | 5 +++++ agent/command-ssh.c | 18 +++++++++++++----- agent/keyformat.txt | 8 +++++++- doc/gpg-agent.texi | 37 ++++++++++++++++++++++++++++++++++++- 4 files changed, 61 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 894743db5..bbf2ad253 100644 --- a/NEWS +++ b/NEWS @@ -25,10 +25,15 @@ Noteworthy changes in version 2.4.1 (unreleased) * dirmngr: The LDAP modifyTimestamp is now returned by some keyserver commands. [rG56d309133f] + * ssh: Allow specification of the order keys are presented to ssh. + See the man page entry for --enable-ssh-support. [T5996] + * gpg: Make list-options "show-sig-subpackets" work again. Fixes regression in 2.4.0. [rG5a223303d7] + Release-info: https://dev.gnupg.org/T6454 + Noteworthy changes in version 2.4.0 (2022-12-16) ------------------------------------------------ diff --git a/agent/command-ssh.c b/agent/command-ssh.c index b41177be6..51111a60d 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -2648,7 +2648,8 @@ ssh_send_available_keys (ctrl_t ctrl, estream_t key_blobs, u32 *r_key_counter) /* Clamp LNR value and set the ordinal. * Current use of ordinals: - * 1..99999 - inserted cards (right now only 1) + * 1..999 - low value Use-for-ssh. + * 1000..99999 - inserted cards (right now only 1000) * 100000..199999 - listed in sshcontrol * 200000..299999 - order taken from Use-for-ssh */ @@ -2678,18 +2679,25 @@ ssh_send_available_keys (ctrl_t ctrl, estream_t key_blobs, u32 *r_key_counter) * order of card keys (which are sorted by their s/n), we * would need to get the use-for-ssh: value from the stub * file and set an appropriate ordinal. */ - order = 1; + order = 1000; } else if (is_ssh) err = agent_public_key_from_file (ctrl, grip, &key_public); else /* Examine the file if it's suitable for SSH. */ { err = agent_ssh_key_from_file (ctrl, grip, &key_public, &order); - if (order < 0 || err) + if (err) order = 0; + else if (order < 0) + { + order = -order; + if (order > 999) + order = 999; + } else if (order > 99999) - order = 99999; - order += 200000; + order = 299999; + else + order += 200000; } if (err) { diff --git a/agent/keyformat.txt b/agent/keyformat.txt index bbcaa7e2c..fbe999ca1 100644 --- a/agent/keyformat.txt +++ b/agent/keyformat.txt @@ -124,7 +124,13 @@ gpg-agent's ssh-agent implementation. This is thus the same as putting the keygrip into the 'sshcontrol' file. Only one such item should exist. If another non-zero value between 1 and 99999 is used, this is taken to establish the order in which the keys are returned to -ssh; lower numbers are returned first. +ssh; lower numbers are returned first. If a negative value is used +this overrides currently active (inserted) cards and thus allows to +prefer on-disk keys over inserted cards. A value of -1 has the +highest priority; values are capped at -999 and have a lower priority +but still above the positive values, inserted cards or the order in +sshcontrol. + *** Use-for-p11 If given and the value is "yes" or "1" the key is allowed for use by diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index c8080c7c2..902de56f4 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -675,6 +675,39 @@ and allows the use of gpg-agent with the ssh implementation @command{putty}. This is similar to the regular ssh-agent support but makes use of Windows message queue as required by @command{putty}. + +The order in which keys are presented to ssh are: +@table @code + +@item Negative Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + negative, these keys are presented first to ssh. The negative + values are capped at -999 with -999 beeing lower ranked than -1. + These values can be used to prefer on-disk keys over keys taken + from active cards. + +@item Active cards + Active cards (inserted into a card reader or plugged in tokens) + are always tried; they are ordered by their serial numbers. + +@item Keys listed in the sshcontrol file + Non-disabled keys from the sshcontrol file are presented in the + order they appear in this file. Note that the sshcontrol file + is deprecated. + +@item Positive Use-for-ssh values + If a key file has the attribute "Use-for-ssh" and its value is + "yes", "true", or any positive number the key is presented in + the order of their values. "yes" and "true" have a value of 1; + other values are capped at 99999. + +@end table + +Editing the "Use-for-ssh" values can be done with an editor or using +@command{gpg-connect-agent} and "KEYATTR" (Remember to append a colon +to the key; i.e. use "Use-for-ssh:"). + + @anchor{option --ssh-fingerprint-digest} @item --ssh-fingerprint-digest @opindex ssh-fingerprint-digest @@ -827,6 +860,9 @@ This file is used when support for the secure shell agent protocol has been enabled (@pxref{option --enable-ssh-support}). Only keys present in this file are used in the SSH protocol. You should backup this file. +This file is deprecated in favor of the "Use-for-ssh" attribute in the +key files. + The @command{ssh-add} tool may be used to add new entries to this file; you may also add them manually. Comment lines, indicated by a leading hash mark, as well as empty lines are ignored. An entry starts with @@ -872,7 +908,6 @@ users start up with a working configuration. For existing users the a small helper script is provided to create these files (@pxref{addgnupghome}). - @c @c Agent Signals @c