- markus@cvs.openbsd.org 2001/04/17 10:53:26

     [key.c key.h readconf.c readconf.h ssh.1 sshconnect2.c]
     add HostKeyAlgorithms; based on patch from res@shore.net; ok provos@

7 files changed, 59 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index f5d9863ad..011bd960d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,9 +9,12 @@
    - markus@cvs.openbsd.org 2001/04/17 08:14:01                          
      [sshconnect1.c]                                                     
      check for key!=NULL, thanks to costa  
-  - markus@cvs.openbsd.org 2001/04/17 09:52:48                          
+   - markus@cvs.openbsd.org 2001/04/17 09:52:48                          
      [clientloop.c]                                                      
      handle EINTR/EAGAIN on read; ok deraadt@
+   - markus@cvs.openbsd.org 2001/04/17 10:53:26                          
+     [key.c key.h readconf.c readconf.h ssh.1 sshconnect2.c]             
+     add HostKeyAlgorithms; based on patch from res@shore.net; ok provos@
 
 20010416
   - OpenBSD CVS Sync
@@ -5137,4 +5140,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1133 2001/04/17 18:09:42 mouring Exp $
+$Id: ChangeLog,v 1.1134 2001/04/17 18:11:36 mouring Exp $
diff --git a/key.c b/key.c
index fbd9f4efc..3b9f9f786 100644
--- a/key.c
+++ b/key.c
@@ -32,7 +32,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.24 2001/04/16 08:26:04 deraadt Exp $");
+RCSID("$OpenBSD: key.c,v 1.25 2001/04/17 10:53:24 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -629,6 +629,28 @@ key_type_from_name(char *name)
         return KEY_UNSPEC;
 }
 
+int
+key_names_valid2(const char *names)
+{
+        char *s, *cp, *p;
+
+        if (names == NULL || strcmp(names, "") == 0)
+                return 0;
+        s = cp = xstrdup(names);
+        for ((p = strsep(&cp, ",")); p && *p != '\0';
+             (p = strsep(&cp, ","))) {
+                switch (key_type_from_name(p)) {
+                case KEY_RSA1:
+                case KEY_UNSPEC:
+                        xfree(s);
+                        return 0;
+                }
+        }
+        debug3("key names ok: [%s]", names);
+        xfree(s);
+        return 1;
+}
+
 Key *
 key_from_blob(char *blob, int blen)
 {
diff --git a/key.h b/key.h
index 251c565aa..cee31c30a 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: key.h,v 1.11 2001/03/12 22:02:01 markus Exp $ */
+/*      $OpenBSD: key.h,v 1.12 2001/04/17 10:53:24 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -67,6 +67,7 @@ int	key_type_from_name(char *name);
 Key     *key_from_blob(char *blob, int blen);
 int     key_to_blob(Key *key, u_char **blobp, u_int *lenp);
 char    *key_ssh_name(Key *k);
+int     key_names_valid2(const char *names);
 
 int
 key_sign(
diff --git a/readconf.c b/readconf.c
index a14d0a55d..b30c61f28 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.75 2001/04/15 21:28:35 stevesk Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.76 2001/04/17 10:53:25 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -110,7 +110,8 @@ typedef enum {
         oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
         oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
-        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication
+        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+        oHostKeyAlgorithms
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -175,6 +176,7 @@ static struct {
         { "loglevel", oLogLevel },
         { "dynamicforward", oDynamicForward },
         { "preferredauthentications", oPreferredAuthentications },
+        { "hostkeyalgorithms", oHostKeyAlgorithms },
         { NULL, 0 }
 };
 
@@ -527,6 +529,17 @@ parse_int:
                         options->macs = xstrdup(arg);
                 break;
 
+        case oHostKeyAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.", filename, linenum);
+                if (!key_names_valid2(arg))
+                        fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
+                              filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->hostkeyalgorithms == NULL)
+                        options->hostkeyalgorithms = xstrdup(arg);
+                break;
+
         case oProtocol:
                 intptr = &options->protocol;
                 arg = strdelim(&s);
@@ -732,6 +745,7 @@ initialize_options(Options * options)
         options->cipher = -1;
         options->ciphers = NULL;
         options->macs = NULL;
+        options->hostkeyalgorithms = NULL;
         options->protocol = SSH_PROTO_UNKNOWN;
         options->num_identity_files = 0;
         options->hostname = NULL;
@@ -824,6 +838,7 @@ fill_default_options(Options * options)
                 options->cipher = SSH_CIPHER_NOT_SET;
         /* options->ciphers, default set in myproposals.h */
         /* options->macs, default set in myproposals.h */
+        /* options->hostkeyalgorithms, default set in myproposals.h */
         if (options->protocol == SSH_PROTO_UNKNOWN)
                 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
         if (options->num_identity_files == 0) {
diff --git a/readconf.h b/readconf.h
index 680068b09..9e943f905 100644
--- a/readconf.h
+++ b/readconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: readconf.h,v 1.29 2001/04/12 19:15:25 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.30 2001/04/17 10:53:25 markus Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -72,6 +72,7 @@ typedef struct {
         int     cipher;         /* Cipher to use. */
         char   *ciphers;        /* SSH2 ciphers in order of preference. */
         char   *macs;           /* SSH2 macs in order of preference. */
+        char   *hostkeyalgorithms;      /* SSH2 server key types in order of preference. */
         int     protocol;       /* Protocol in order of preference. */
         char   *hostname;       /* Real host to connect. */
         char   *host_key_alias; /* hostname alias for .ssh/known_hosts */
diff --git a/ssh.1 b/ssh.1
index e775d0dcb..9e0298bd3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.102 2001/04/10 09:13:22 itojun Exp $
+.\" $OpenBSD: ssh.1,v 1.103 2001/04/17 10:53:26 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -776,6 +776,11 @@ real host name when looking up or saving the host key
 in the known_hosts files.
 This option is useful for tunneling ssh connections
 or if you have multiple servers running on a single host.
+.It Cm HostKeyAlgorithms
+Specfies the protocol version 2 host key algorithms
+that the client wants to use in order of preference.
+The default for this option is:
+.Dq ssh-rsa,ssh-dss
 .It Cm HostName
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
diff --git a/sshconnect2.c b/sshconnect2.c
index 4acdd0171..baa4e7028 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.69 2001/04/15 08:43:47 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.70 2001/04/17 10:53:26 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -111,6 +111,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
                 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
         }
+        if (options.hostkeyalgorithms != NULL)
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+                    options.hostkeyalgorithms;
 
         /* start key exchange */
         kex = kex_setup(myproposal);