upstream commit

Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21

1 files changed, 9 insertions, 1 deletions

diff --git a/sshd.c b/sshd.c
index 86b3c643b..81a9b8245 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.454 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -95,6 +95,7 @@
 #include "log.h"
 #include "buffer.h"
 #include "misc.h"
+#include "match.h"
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
@@ -799,6 +800,13 @@ list_hostkey_types(void)
                         key = sensitive_data.host_pubkeys[i];
                 if (key == NULL)
                         continue;
+                /* Check that the key is accepted in HostkeyAlgorithms */
+                if (match_pattern_list(sshkey_ssh_name(key),
+                    options.hostkeyalgorithms, 0) != 1) {
+                        debug3("%s: %s key not permitted by HostkeyAlgorithms",
+                            __func__, sshkey_ssh_name(key));
+                        continue;
+                }
                 switch (key->type) {
                 case KEY_RSA:
                 case KEY_DSA: