CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2023/07/19 08:08:59
Modified files:
usr.bin/ssh : Tag: OPENBSD_7_2 ssh-agent.1 ssh-agent.c
ssh-pkcs11.c
Log message:
Disallow remote addition of FIDO/PKCS11 provider libraries to
ssh-agent by default.
The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.
Detection of local/remote clients requires a ssh(1) that supports
the `[email protected]` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.
from djm@; ok markus@
terminate process if requested to load a PKCS#11 provider that
isn't a PKCS#11 provider; from / ok markus@
from djm@
this is errata/7.2/032_ssh_agent.patch.sig
