Message ID | 20210610173910.511809-1-void@fluix.one |
---|---|
State | New |
Headers | show |
Series | [aurweb] Allow FIDO/U2F SSH security keys | expand |
On 6/10/21 1:39 PM, Steven Guikal via aur-dev wrote: > These were added in OpenSSH bersion 8.2[1]. > > Fixes #36 > > [1]: https://www.openssh.com/txt/release-8.2 > --- > > Just a heads up that I haven't tested this and aren't sure if the keys > are used anywhere else that may be affected (though a grep makes me > think they aren't). > > web/lib/acctfuncs.inc.php | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php > index df016c6d..efc08331 100644 > --- a/web/lib/acctfuncs.inc.php > +++ b/web/lib/acctfuncs.inc.php > @@ -877,7 +877,8 @@ function valid_pgp_fingerprint($fingerprint) { > function valid_ssh_pubkey($pubkey) { > $valid_prefixes = array( > "ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256", > - "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519" > + "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519", > + "sk-ssh-ecdsa@openssh.com", "sk-ssh-ed25519@openssh.com" > ); > > $has_valid_prefix = false; Thanks! But in aurweb/git/auth.py we check $AUR_CONFIG (defaults in conf/config.defaults) for valid-keytypes in the AuthorizedKeysCommand, I'm not 100% sure why we bother but we do.
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index df016c6d..efc08331 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -877,7 +877,8 @@ function valid_pgp_fingerprint($fingerprint) { function valid_ssh_pubkey($pubkey) { $valid_prefixes = array( "ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256", - "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519" + "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519", + "sk-ssh-ecdsa@openssh.com", "sk-ssh-ed25519@openssh.com" ); $has_valid_prefix = false;