diff options
author | Damien Miller <djm@mindrot.org> | 2010-09-24 22:11:14 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-09-24 22:11:14 +1000 |
commit | d5f62bf280b0798d7009d4424594a648a4e887fb (patch) | |
tree | 5f18078ea61f6c5503dc4addfb2f17d13844692c | |
parent | 603134e077e667b4819effb0e121803842df621f (diff) |
- djm@cvs.openbsd.org 2010/09/22 05:01:30
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
[servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.
ok markus@
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | kex.c | 30 | ||||
-rw-r--r-- | kex.h | 7 | ||||
-rw-r--r-- | kexecdh.c | 12 | ||||
-rw-r--r-- | kexecdhc.c | 5 | ||||
-rw-r--r-- | kexecdhs.c | 5 | ||||
-rw-r--r-- | readconf.c | 18 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | servconf.c | 17 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | ssh_config.5 | 15 | ||||
-rw-r--r-- | sshconnect2.c | 4 | ||||
-rw-r--r-- | sshd.c | 4 | ||||
-rw-r--r-- | sshd_config.5 | 15 |
14 files changed, 120 insertions, 25 deletions
@@ -31,6 +31,13 @@ | |||
31 | either ready or stale without races. stale server sockets are now | 31 | either ready or stale without races. stale server sockets are now |
32 | automatically removed | 32 | automatically removed |
33 | ok deraadt | 33 | ok deraadt |
34 | - djm@cvs.openbsd.org 2010/09/22 05:01:30 | ||
35 | [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] | ||
36 | [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] | ||
37 | add a KexAlgorithms knob to the client and server configuration to allow | ||
38 | selection of which key exchange methods are used by ssh(1) and sshd(8) | ||
39 | and their order of preference. | ||
40 | ok markus@ | ||
34 | 41 | ||
35 | 20100910 | 42 | 20100910 |
36 | - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact | 43 | - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -62,6 +62,34 @@ extern const EVP_MD *evp_ssh_sha256(void); | |||
62 | static void kex_kexinit_finish(Kex *); | 62 | static void kex_kexinit_finish(Kex *); |
63 | static void kex_choose_conf(Kex *); | 63 | static void kex_choose_conf(Kex *); |
64 | 64 | ||
65 | /* Validate KEX method name list */ | ||
66 | int | ||
67 | kex_names_valid(const char *names) | ||
68 | { | ||
69 | char *s, *cp, *p; | ||
70 | |||
71 | if (names == NULL || strcmp(names, "") == 0) | ||
72 | return 0; | ||
73 | s = cp = xstrdup(names); | ||
74 | for ((p = strsep(&cp, ",")); p && *p != '\0'; | ||
75 | (p = strsep(&cp, ","))) { | ||
76 | if (strcmp(p, KEX_DHGEX_SHA256) != 0 && | ||
77 | strcmp(p, KEX_DHGEX_SHA1) != 0 && | ||
78 | strcmp(p, KEX_DH14) != 0 && | ||
79 | strcmp(p, KEX_DH1) != 0 && | ||
80 | (strncmp(p, KEX_ECDH_SHA2_STEM, | ||
81 | sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || | ||
82 | kex_ecdh_name_to_nid(p) == -1)) { | ||
83 | error("Unsupported KEX algorithm \"%.100s\"", p); | ||
84 | xfree(s); | ||
85 | return 0; | ||
86 | } | ||
87 | } | ||
88 | debug3("kex names ok: [%s]", names); | ||
89 | xfree(s); | ||
90 | return 1; | ||
91 | } | ||
92 | |||
65 | /* put algorithm proposal into buffer */ | 93 | /* put algorithm proposal into buffer */ |
66 | static void | 94 | static void |
67 | kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) | 95 | kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.51 2010/09/09 10:45:45 djm Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -138,6 +138,8 @@ struct Kex { | |||
138 | void (*kex[KEX_MAX])(Kex *); | 138 | void (*kex[KEX_MAX])(Kex *); |
139 | }; | 139 | }; |
140 | 140 | ||
141 | int kex_names_valid(const char *); | ||
142 | |||
141 | Kex *kex_setup(char *[PROPOSAL_MAX]); | 143 | Kex *kex_setup(char *[PROPOSAL_MAX]); |
142 | void kex_finish(Kex *); | 144 | void kex_finish(Kex *); |
143 | 145 | ||
@@ -169,7 +171,8 @@ kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, | |||
169 | int kex_ecdh_name_to_nid(const char *); | 171 | int kex_ecdh_name_to_nid(const char *); |
170 | const EVP_MD *kex_ecdh_name_to_evpmd(const char *); | 172 | const EVP_MD *kex_ecdh_name_to_evpmd(const char *); |
171 | #else | 173 | #else |
172 | # define kex_ecdh_name_to_evpmd(x) NULL | 174 | # define kex_ecdh_name_to_nid(x) (-1) |
175 | # define kex_ecdh_name_to_evpmd(x) (NULL) | ||
173 | #endif | 176 | #endif |
174 | 177 | ||
175 | void | 178 | void |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kexecdh.c,v 1.2 2010/09/09 10:45:45 djm Exp $ */ | 1 | /* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -48,15 +48,9 @@ | |||
48 | int | 48 | int |
49 | kex_ecdh_name_to_nid(const char *kexname) | 49 | kex_ecdh_name_to_nid(const char *kexname) |
50 | { | 50 | { |
51 | int ret; | ||
52 | |||
53 | if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) | 51 | if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) |
54 | fatal("%s: kexname too short \"%s\"", __func__, kexname); | 52 | fatal("%s: kexname too short \"%s\"", __func__, kexname); |
55 | ret = key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); | 53 | return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); |
56 | if (ret == -1) | ||
57 | fatal("%s: unsupported curve negotiated \"%s\"", __func__, | ||
58 | kexname); | ||
59 | return ret; | ||
60 | } | 54 | } |
61 | 55 | ||
62 | const EVP_MD * | 56 | const EVP_MD * |
@@ -64,6 +58,8 @@ kex_ecdh_name_to_evpmd(const char *kexname) | |||
64 | { | 58 | { |
65 | int nid = kex_ecdh_name_to_nid(kexname); | 59 | int nid = kex_ecdh_name_to_nid(kexname); |
66 | 60 | ||
61 | if (nid == -1) | ||
62 | fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname); | ||
67 | return key_ec_nid_to_evpmd(nid); | 63 | return key_ec_nid_to_evpmd(nid); |
68 | } | 64 | } |
69 | 65 | ||
diff --git a/kexecdhc.c b/kexecdhc.c index 297a0e5a9..115d4bf83 100644 --- a/kexecdhc.c +++ b/kexecdhc.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kexecdhc.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -59,7 +59,8 @@ kexecdh_client(Kex *kex) | |||
59 | u_int klen, slen, sbloblen, hashlen; | 59 | u_int klen, slen, sbloblen, hashlen; |
60 | int curve_nid; | 60 | int curve_nid; |
61 | 61 | ||
62 | curve_nid = kex_ecdh_name_to_nid(kex->name); | 62 | if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) |
63 | fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); | ||
63 | if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) | 64 | if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) |
64 | fatal("%s: EC_KEY_new_by_curve_name failed", __func__); | 65 | fatal("%s: EC_KEY_new_by_curve_name failed", __func__); |
65 | if (EC_KEY_generate_key(client_key) != 1) | 66 | if (EC_KEY_generate_key(client_key) != 1) |
diff --git a/kexecdhs.c b/kexecdhs.c index d2c3feb09..8c515dfa6 100644 --- a/kexecdhs.c +++ b/kexecdhs.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kexecdhs.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2010 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2010 Damien Miller. All rights reserved. |
@@ -61,7 +61,8 @@ kexecdh_server(Kex *kex) | |||
61 | u_int klen, slen, sbloblen, hashlen; | 61 | u_int klen, slen, sbloblen, hashlen; |
62 | int curve_nid; | 62 | int curve_nid; |
63 | 63 | ||
64 | curve_nid = kex_ecdh_name_to_nid(kex->name); | 64 | if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) |
65 | fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); | ||
65 | if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) | 66 | if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) |
66 | fatal("%s: EC_KEY_new_by_curve_name failed", __func__); | 67 | fatal("%s: EC_KEY_new_by_curve_name failed", __func__); |
67 | if (EC_KEY_generate_key(server_key) != 1) | 68 | if (EC_KEY_generate_key(server_key) != 1) |
diff --git a/readconf.c b/readconf.c index 586422930..da7efd193 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.188 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.189 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -132,6 +132,7 @@ typedef enum { | |||
132 | oHashKnownHosts, | 132 | oHashKnownHosts, |
133 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 133 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
134 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 134 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
135 | oKexAlgorithms, | ||
135 | oDeprecated, oUnsupported | 136 | oDeprecated, oUnsupported |
136 | } OpCodes; | 137 | } OpCodes; |
137 | 138 | ||
@@ -240,6 +241,7 @@ static struct { | |||
240 | #else | 241 | #else |
241 | { "zeroknowledgepasswordauthentication", oUnsupported }, | 242 | { "zeroknowledgepasswordauthentication", oUnsupported }, |
242 | #endif | 243 | #endif |
244 | { "kexalgorithms", oKexAlgorithms }, | ||
243 | 245 | ||
244 | { NULL, oBadOption } | 246 | { NULL, oBadOption } |
245 | }; | 247 | }; |
@@ -699,6 +701,18 @@ parse_int: | |||
699 | options->macs = xstrdup(arg); | 701 | options->macs = xstrdup(arg); |
700 | break; | 702 | break; |
701 | 703 | ||
704 | case oKexAlgorithms: | ||
705 | arg = strdelim(&s); | ||
706 | if (!arg || *arg == '\0') | ||
707 | fatal("%.200s line %d: Missing argument.", | ||
708 | filename, linenum); | ||
709 | if (!kex_names_valid(arg)) | ||
710 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", | ||
711 | filename, linenum, arg ? arg : "<NONE>"); | ||
712 | if (*activep && options->kex_algorithms == NULL) | ||
713 | options->kex_algorithms = xstrdup(arg); | ||
714 | break; | ||
715 | |||
702 | case oHostKeyAlgorithms: | 716 | case oHostKeyAlgorithms: |
703 | arg = strdelim(&s); | 717 | arg = strdelim(&s); |
704 | if (!arg || *arg == '\0') | 718 | if (!arg || *arg == '\0') |
@@ -1078,6 +1092,7 @@ initialize_options(Options * options) | |||
1078 | options->cipher = -1; | 1092 | options->cipher = -1; |
1079 | options->ciphers = NULL; | 1093 | options->ciphers = NULL; |
1080 | options->macs = NULL; | 1094 | options->macs = NULL; |
1095 | options->kex_algorithms = NULL; | ||
1081 | options->hostkeyalgorithms = NULL; | 1096 | options->hostkeyalgorithms = NULL; |
1082 | options->protocol = SSH_PROTO_UNKNOWN; | 1097 | options->protocol = SSH_PROTO_UNKNOWN; |
1083 | options->num_identity_files = 0; | 1098 | options->num_identity_files = 0; |
@@ -1191,6 +1206,7 @@ fill_default_options(Options * options) | |||
1191 | options->cipher = SSH_CIPHER_NOT_SET; | 1206 | options->cipher = SSH_CIPHER_NOT_SET; |
1192 | /* options->ciphers, default set in myproposals.h */ | 1207 | /* options->ciphers, default set in myproposals.h */ |
1193 | /* options->macs, default set in myproposals.h */ | 1208 | /* options->macs, default set in myproposals.h */ |
1209 | /* options->kex_algorithms, default set in myproposals.h */ | ||
1194 | /* options->hostkeyalgorithms, default set in myproposals.h */ | 1210 | /* options->hostkeyalgorithms, default set in myproposals.h */ |
1195 | if (options->protocol == SSH_PROTO_UNKNOWN) | 1211 | if (options->protocol == SSH_PROTO_UNKNOWN) |
1196 | options->protocol = SSH_PROTO_2; | 1212 | options->protocol = SSH_PROTO_2; |
diff --git a/readconf.h b/readconf.h index 95d104674..ae61466df 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.h,v 1.86 2010/07/19 09:15:12 djm Exp $ */ | 1 | /* $OpenBSD: readconf.h,v 1.87 2010/09/22 05:01:29 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -73,6 +73,7 @@ typedef struct { | |||
73 | char *ciphers; /* SSH2 ciphers in order of preference. */ | 73 | char *ciphers; /* SSH2 ciphers in order of preference. */ |
74 | char *macs; /* SSH2 macs in order of preference. */ | 74 | char *macs; /* SSH2 macs in order of preference. */ |
75 | char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ | 75 | char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ |
76 | char *kex_algorithms; /* SSH2 kex methods in order of preference. */ | ||
76 | int protocol; /* Protocol in order of preference. */ | 77 | int protocol; /* Protocol in order of preference. */ |
77 | char *hostname; /* Real host to connect. */ | 78 | char *hostname; /* Real host to connect. */ |
78 | char *host_key_alias; /* hostname alias for .ssh/known_hosts */ | 79 | char *host_key_alias; /* hostname alias for .ssh/known_hosts */ |
diff --git a/servconf.c b/servconf.c index def6b716a..d26a7db05 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.210 2010/09/01 15:21:35 naddy Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.211 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -109,6 +109,7 @@ initialize_server_options(ServerOptions *options) | |||
109 | options->num_deny_groups = 0; | 109 | options->num_deny_groups = 0; |
110 | options->ciphers = NULL; | 110 | options->ciphers = NULL; |
111 | options->macs = NULL; | 111 | options->macs = NULL; |
112 | options->kex_algorithms = NULL; | ||
112 | options->protocol = SSH_PROTO_UNKNOWN; | 113 | options->protocol = SSH_PROTO_UNKNOWN; |
113 | options->gateway_ports = -1; | 114 | options->gateway_ports = -1; |
114 | options->num_subsystems = 0; | 115 | options->num_subsystems = 0; |
@@ -314,6 +315,7 @@ typedef enum { | |||
314 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 315 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
315 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 316 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
316 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 317 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
318 | sKexAlgorithms, | ||
317 | sDeprecated, sUnsupported | 319 | sDeprecated, sUnsupported |
318 | } ServerOpCodes; | 320 | } ServerOpCodes; |
319 | 321 | ||
@@ -436,6 +438,7 @@ static struct { | |||
436 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | 438 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
437 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | 439 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
438 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 440 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
441 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | ||
439 | { NULL, sBadOption, 0 } | 442 | { NULL, sBadOption, 0 } |
440 | }; | 443 | }; |
441 | 444 | ||
@@ -1131,6 +1134,18 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1131 | options->macs = xstrdup(arg); | 1134 | options->macs = xstrdup(arg); |
1132 | break; | 1135 | break; |
1133 | 1136 | ||
1137 | case sKexAlgorithms: | ||
1138 | arg = strdelim(&cp); | ||
1139 | if (!arg || *arg == '\0') | ||
1140 | fatal("%s line %d: Missing argument.", | ||
1141 | filename, linenum); | ||
1142 | if (!kex_names_valid(arg)) | ||
1143 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | ||
1144 | filename, linenum, arg ? arg : "<NONE>"); | ||
1145 | if (options->kex_algorithms == NULL) | ||
1146 | options->kex_algorithms = xstrdup(arg); | ||
1147 | break; | ||
1148 | |||
1134 | case sProtocol: | 1149 | case sProtocol: |
1135 | intptr = &options->protocol; | 1150 | intptr = &options->protocol; |
1136 | arg = strdelim(&cp); | 1151 | arg = strdelim(&cp); |
diff --git a/servconf.h b/servconf.h index 45d2a2ae3..ad13f2edd 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.93 2010/05/07 11:30:30 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.94 2010/09/22 05:01:29 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -72,6 +72,7 @@ typedef struct { | |||
72 | int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ | 72 | int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ |
73 | char *ciphers; /* Supported SSH2 ciphers. */ | 73 | char *ciphers; /* Supported SSH2 ciphers. */ |
74 | char *macs; /* Supported SSH2 macs. */ | 74 | char *macs; /* Supported SSH2 macs. */ |
75 | char *kex_algorithms; /* SSH2 kex methods in order of preference. */ | ||
75 | int protocol; /* Supported protocol versions. */ | 76 | int protocol; /* Supported protocol versions. */ |
76 | int gateway_ports; /* If true, allow remote connects to forwarded ports. */ | 77 | int gateway_ports; /* If true, allow remote connects to forwarded ports. */ |
77 | SyslogFacility log_facility; /* Facility for system logging. */ | 78 | SyslogFacility log_facility; /* Facility for system logging. */ |
diff --git a/ssh_config.5 b/ssh_config.5 index 33038ffcf..6e49842a7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.139 2010/08/31 11:54:45 djm Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.140 2010/09/22 05:01:29 djm Exp $ |
38 | .Dd $Mdocdate: August 31 2010 $ | 38 | .Dd $Mdocdate: September 22 2010 $ |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -646,6 +646,17 @@ it may be zero or more of: | |||
646 | .Dq pam , | 646 | .Dq pam , |
647 | and | 647 | and |
648 | .Dq skey . | 648 | .Dq skey . |
649 | .It Cm KexAlgorithms | ||
650 | Specifies the available KEX (Key Exchange) algorithms. | ||
651 | Multiple algorithms must be comma-separated. | ||
652 | The default is | ||
653 | .Dq ecdh-sha2-nistp256 , | ||
654 | .Dq ecdh-sha2-nistp384 , | ||
655 | .Dq ecdh-sha2-nistp521 , | ||
656 | .Dq diffie-hellman-group-exchange-sha256 , | ||
657 | .Dq diffie-hellman-group-exchange-sha1 , | ||
658 | .Dq diffie-hellman-group14-sha1 , | ||
659 | .Dq diffie-hellman-group1-sha1 . | ||
649 | .It Cm LocalCommand | 660 | .It Cm LocalCommand |
650 | Specifies a command to execute on the local machine after successfully | 661 | Specifies a command to execute on the local machine after successfully |
651 | connecting to the server. | 662 | connecting to the server. |
diff --git a/sshconnect2.c b/sshconnect2.c index a31a663d4..6fe356cca 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.184 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.185 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -135,6 +135,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
135 | if (options.hostkeyalgorithms != NULL) | 135 | if (options.hostkeyalgorithms != NULL) |
136 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 136 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
137 | options.hostkeyalgorithms; | 137 | options.hostkeyalgorithms; |
138 | if (options.kex_algorithms != NULL) | ||
139 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
138 | 140 | ||
139 | if (options.rekey_limit) | 141 | if (options.rekey_limit) |
140 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 142 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.379 2010/08/31 12:33:38 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.380 2010/09/22 05:01:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2297,6 +2297,8 @@ do_ssh2_kex(void) | |||
2297 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 2297 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
2298 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; | 2298 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; |
2299 | } | 2299 | } |
2300 | if (options.kex_algorithms != NULL) | ||
2301 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
2300 | 2302 | ||
2301 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2303 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2302 | 2304 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index af3d89b80..d87f60246 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.126 2010/08/31 11:54:45 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.127 2010/09/22 05:01:30 djm Exp $ |
38 | .Dd $Mdocdate: August 31 2010 $ | 38 | .Dd $Mdocdate: September 22 2010 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -538,6 +538,17 @@ Specifies whether to automatically destroy the user's ticket cache | |||
538 | file on logout. | 538 | file on logout. |
539 | The default is | 539 | The default is |
540 | .Dq yes . | 540 | .Dq yes . |
541 | .It Cm KexAlgorithms | ||
542 | Specifies the available KEX (Key Exchange) algorithms. | ||
543 | Multiple algorithms must be comma-separated. | ||
544 | The default is | ||
545 | .Dq ecdh-sha2-nistp256 , | ||
546 | .Dq ecdh-sha2-nistp384 , | ||
547 | .Dq ecdh-sha2-nistp521 , | ||
548 | .Dq diffie-hellman-group-exchange-sha256 , | ||
549 | .Dq diffie-hellman-group-exchange-sha1 , | ||
550 | .Dq diffie-hellman-group14-sha1 , | ||
551 | .Dq diffie-hellman-group1-sha1 . | ||
541 | .It Cm KeyRegenerationInterval | 552 | .It Cm KeyRegenerationInterval |
542 | In protocol version 1, the ephemeral server key is automatically regenerated | 553 | In protocol version 1, the ephemeral server key is automatically regenerated |
543 | after this many seconds (if it has been used). | 554 | after this many seconds (if it has been used). |