- djm@cvs.openbsd.org 2012/12/02 20:26:11

     [ssh_config.5 sshconnect2.c]
     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
     This allows control of which keys are offered from tokens using
     IdentityFile. ok markus@

3 files changed, 36 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 09a095f1..199bca16 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
 20121203
  - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
    TAILQ_FOREACH_SAFE needed for upcoming changes.
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2012/12/02 20:26:11
+     [ssh_config.5 sshconnect2.c]
+     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
+     This allows control of which keys are offered from tokens using
+     IdentityFile. ok markus@
 
 20121114
  - (djm) OpenBSD CVS Sync
diff --git a/ssh_config.5 b/ssh_config.5
index d3e801df..09a3cf03 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $
-.Dd $Mdocdate: October 4 2012 $
+.\" $OpenBSD: ssh_config.5,v 1.159 2012/12/02 20:26:10 djm Exp $
+.Dd $Mdocdate: December 2 2012 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -602,6 +602,8 @@ should only use the authentication identity files configured in the
 files,
 even if
 .Xr ssh-agent 1
+or a
+.Cm PKCS11Provider
 offers more identities.
 The argument to this keyword must be
 .Dq yes
diff --git a/sshconnect2.c b/sshconnect2.c
index 7c369d74..6791ea34 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.190 2012/12/02 20:26:11 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1359,7 +1359,7 @@ load_identity_file(char *filename)
 static void
 pubkey_prepare(Authctxt *authctxt)
 {
-	Identity *id;
+	Identity *id, *id2, *tmp;
 	Idlist agent, files, *preferred;
 	Key *key;
 	AuthenticationConnection *ac;
@@ -1371,7 +1371,7 @@ pubkey_prepare(Authctxt *authctxt)
 	preferred = &authctxt->keys;
 	TAILQ_INIT(preferred);	/* preferred order of keys */
 
-	/* list of keys stored in the filesystem */
+	/* list of keys stored in the filesystem and PKCS#11 */
 	for (i = 0; i < options.num_identity_files; i++) {
 		key = options.identity_keys[i];
 		if (key && key->type == KEY_RSA1)
@@ -1384,6 +1384,29 @@ pubkey_prepare(Authctxt *authctxt)
 		id->filename = xstrdup(options.identity_files[i]);
 		TAILQ_INSERT_TAIL(&files, id, next);
 	}
+	/* Prefer PKCS11 keys that are explicitly listed */
+	TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
+		if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
+			continue;
+		found = 0;
+		TAILQ_FOREACH(id2, &files, next) {
+			if (id2->key == NULL ||
+			    (id2->key->flags & KEY_FLAG_EXT) != 0)
+				continue;
+			if (key_equal(id->key, id2->key)) {
+				TAILQ_REMOVE(&files, id, next);
+				TAILQ_INSERT_TAIL(preferred, id, next);
+				found = 1;
+				break;
+			}
+		}
+		/* If IdentitiesOnly set and key not found then don't use it */
+		if (!found && options.identities_only) {
+			TAILQ_REMOVE(&files, id, next);
+			bzero(id, sizeof(id));
+			free(id);
+		}
+	}
 	/* list of keys supported by the agent */
 	if ((ac = ssh_get_authentication_connection())) {
 		for (key = ssh_get_first_identity(ac, &comment, 2);