diff options
-rw-r--r-- | clientloop.c | 10 | ||||
-rw-r--r-- | myproposal.h | 6 | ||||
-rw-r--r-- | readconf.c | 37 | ||||
-rw-r--r-- | readconf.h | 5 | ||||
-rw-r--r-- | scp.1 | 5 | ||||
-rw-r--r-- | servconf.c | 17 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | ssh.1 | 5 | ||||
-rw-r--r-- | ssh_config.5 | 42 | ||||
-rw-r--r-- | sshconnect2.c | 39 | ||||
-rw-r--r-- | sshd.c | 10 | ||||
-rw-r--r-- | sshd_config.5 | 60 |
12 files changed, 173 insertions, 66 deletions
diff --git a/clientloop.c b/clientloop.c index dc0e557ad..87ceb3dab 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -100,6 +100,7 @@ | |||
100 | #include "key.h" | 100 | #include "key.h" |
101 | #include "cipher.h" | 101 | #include "cipher.h" |
102 | #include "kex.h" | 102 | #include "kex.h" |
103 | #include "myproposal.h" | ||
103 | #include "log.h" | 104 | #include "log.h" |
104 | #include "misc.h" | 105 | #include "misc.h" |
105 | #include "readconf.h" | 106 | #include "readconf.h" |
@@ -2362,10 +2363,11 @@ client_input_hostkeys(void) | |||
2362 | debug3("%s: received %s key %s", __func__, | 2363 | debug3("%s: received %s key %s", __func__, |
2363 | sshkey_type(key), fp); | 2364 | sshkey_type(key), fp); |
2364 | free(fp); | 2365 | free(fp); |
2366 | |||
2365 | /* Check that the key is accepted in HostkeyAlgorithms */ | 2367 | /* Check that the key is accepted in HostkeyAlgorithms */ |
2366 | if (options.hostkeyalgorithms != NULL && | 2368 | if (match_pattern_list(sshkey_ssh_name(key), |
2367 | match_pattern_list(sshkey_ssh_name(key), | 2369 | options.hostkeyalgorithms ? options.hostkeyalgorithms : |
2368 | options.hostkeyalgorithms, 0) != 1) { | 2370 | KEX_DEFAULT_PK_ALG, 0) != 1) { |
2369 | debug3("%s: %s key not permitted by HostkeyAlgorithms", | 2371 | debug3("%s: %s key not permitted by HostkeyAlgorithms", |
2370 | __func__, sshkey_ssh_name(key)); | 2372 | __func__, sshkey_ssh_name(key)); |
2371 | continue; | 2373 | continue; |
diff --git a/myproposal.h b/myproposal.h index 371f27cae..46e5b988d 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.46 2015/07/03 03:47:00 djm Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -99,11 +99,9 @@ | |||
99 | HOSTKEY_ECDSA_CERT_METHODS \ | 99 | HOSTKEY_ECDSA_CERT_METHODS \ |
100 | "ssh-ed25519-cert-v01@openssh.com," \ | 100 | "ssh-ed25519-cert-v01@openssh.com," \ |
101 | "ssh-rsa-cert-v01@openssh.com," \ | 101 | "ssh-rsa-cert-v01@openssh.com," \ |
102 | "ssh-dss-cert-v01@openssh.com," \ | ||
103 | HOSTKEY_ECDSA_METHODS \ | 102 | HOSTKEY_ECDSA_METHODS \ |
104 | "ssh-ed25519," \ | 103 | "ssh-ed25519," \ |
105 | "ssh-rsa," \ | 104 | "ssh-rsa" \ |
106 | "ssh-dss" | ||
107 | 105 | ||
108 | /* the actual algorithms */ | 106 | /* the actual algorithms */ |
109 | 107 | ||
diff --git a/readconf.c b/readconf.c index db7d0bbbf..f1c860b9c 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.238 2015/07/10 06:21:53 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -157,6 +157,7 @@ typedef enum { | |||
157 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | 157 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, |
158 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 158 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
159 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 159 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
160 | oPubkeyAcceptedKeyTypes, | ||
160 | oIgnoredUnknownOption, oDeprecated, oUnsupported | 161 | oIgnoredUnknownOption, oDeprecated, oUnsupported |
161 | } OpCodes; | 162 | } OpCodes; |
162 | 163 | ||
@@ -275,6 +276,7 @@ static struct { | |||
275 | { "fingerprinthash", oFingerprintHash }, | 276 | { "fingerprinthash", oFingerprintHash }, |
276 | { "updatehostkeys", oUpdateHostkeys }, | 277 | { "updatehostkeys", oUpdateHostkeys }, |
277 | { "hostbasedkeytypes", oHostbasedKeyTypes }, | 278 | { "hostbasedkeytypes", oHostbasedKeyTypes }, |
279 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, | ||
278 | { "ignoreunknown", oIgnoreUnknown }, | 280 | { "ignoreunknown", oIgnoreUnknown }, |
279 | 281 | ||
280 | { NULL, oBadOption } | 282 | { NULL, oBadOption } |
@@ -1115,14 +1117,17 @@ parse_int: | |||
1115 | break; | 1117 | break; |
1116 | 1118 | ||
1117 | case oHostKeyAlgorithms: | 1119 | case oHostKeyAlgorithms: |
1120 | charptr = &options->hostkeyalgorithms; | ||
1121 | parse_keytypes: | ||
1118 | arg = strdelim(&s); | 1122 | arg = strdelim(&s); |
1119 | if (!arg || *arg == '\0') | 1123 | if (!arg || *arg == '\0') |
1120 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1124 | fatal("%.200s line %d: Missing argument.", |
1125 | filename, linenum); | ||
1121 | if (!sshkey_names_valid2(arg, 1)) | 1126 | if (!sshkey_names_valid2(arg, 1)) |
1122 | fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.", | 1127 | fatal("%s line %d: Bad key types '%s'.", |
1123 | filename, linenum, arg ? arg : "<NONE>"); | 1128 | filename, linenum, arg ? arg : "<NONE>"); |
1124 | if (*activep && options->hostkeyalgorithms == NULL) | 1129 | if (*activep && *charptr == NULL) |
1125 | options->hostkeyalgorithms = xstrdup(arg); | 1130 | *charptr = xstrdup(arg); |
1126 | break; | 1131 | break; |
1127 | 1132 | ||
1128 | case oProtocol: | 1133 | case oProtocol: |
@@ -1485,16 +1490,11 @@ parse_int: | |||
1485 | 1490 | ||
1486 | case oHostbasedKeyTypes: | 1491 | case oHostbasedKeyTypes: |
1487 | charptr = &options->hostbased_key_types; | 1492 | charptr = &options->hostbased_key_types; |
1488 | arg = strdelim(&s); | 1493 | goto parse_keytypes; |
1489 | if (!arg || *arg == '\0') | 1494 | |
1490 | fatal("%.200s line %d: Missing argument.", | 1495 | case oPubkeyAcceptedKeyTypes: |
1491 | filename, linenum); | 1496 | charptr = &options->pubkey_key_types; |
1492 | if (!sshkey_names_valid2(arg, 1)) | 1497 | goto parse_keytypes; |
1493 | fatal("%s line %d: Bad key types '%s'.", | ||
1494 | filename, linenum, arg ? arg : "<NONE>"); | ||
1495 | if (*activep && *charptr == NULL) | ||
1496 | *charptr = xstrdup(arg); | ||
1497 | break; | ||
1498 | 1498 | ||
1499 | case oDeprecated: | 1499 | case oDeprecated: |
1500 | debug("%s line %d: Deprecated option \"%s\"", | 1500 | debug("%s line %d: Deprecated option \"%s\"", |
@@ -1676,6 +1676,7 @@ initialize_options(Options * options) | |||
1676 | options->fingerprint_hash = -1; | 1676 | options->fingerprint_hash = -1; |
1677 | options->update_hostkeys = -1; | 1677 | options->update_hostkeys = -1; |
1678 | options->hostbased_key_types = NULL; | 1678 | options->hostbased_key_types = NULL; |
1679 | options->pubkey_key_types = NULL; | ||
1679 | } | 1680 | } |
1680 | 1681 | ||
1681 | /* | 1682 | /* |
@@ -1858,7 +1859,9 @@ fill_default_options(Options * options) | |||
1858 | if (options->update_hostkeys == -1) | 1859 | if (options->update_hostkeys == -1) |
1859 | options->update_hostkeys = 0; | 1860 | options->update_hostkeys = 0; |
1860 | if (options->hostbased_key_types == NULL) | 1861 | if (options->hostbased_key_types == NULL) |
1861 | options->hostbased_key_types = xstrdup("*"); | 1862 | options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG); |
1863 | if (options->pubkey_key_types == NULL) | ||
1864 | options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG); | ||
1862 | 1865 | ||
1863 | #define CLEAR_ON_NONE(v) \ | 1866 | #define CLEAR_ON_NONE(v) \ |
1864 | do { \ | 1867 | do { \ |
diff --git a/readconf.h b/readconf.h index 576b9e352..bb2d55283 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.h,v 1.109 2015/02/16 22:13:32 djm Exp $ */ | 1 | /* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -150,7 +150,8 @@ typedef struct { | |||
150 | 150 | ||
151 | int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ | 151 | int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ |
152 | 152 | ||
153 | char *hostbased_key_types; | 153 | char *hostbased_key_types; |
154 | char *pubkey_key_types; | ||
154 | 155 | ||
155 | char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ | 156 | char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ |
156 | } Options; | 157 | } Options; |
@@ -8,9 +8,9 @@ | |||
8 | .\" | 8 | .\" |
9 | .\" Created: Sun May 7 00:14:37 1995 ylo | 9 | .\" Created: Sun May 7 00:14:37 1995 ylo |
10 | .\" | 10 | .\" |
11 | .\" $OpenBSD: scp.1,v 1.66 2015/01/30 11:43:14 djm Exp $ | 11 | .\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $ |
12 | .\" | 12 | .\" |
13 | .Dd $Mdocdate: January 30 2015 $ | 13 | .Dd $Mdocdate: July 10 2015 $ |
14 | .Dt SCP 1 | 14 | .Dt SCP 1 |
15 | .Os | 15 | .Os |
16 | .Sh NAME | 16 | .Sh NAME |
@@ -170,6 +170,7 @@ For full details of the options listed below, and their possible values, see | |||
170 | .It PreferredAuthentications | 170 | .It PreferredAuthentications |
171 | .It Protocol | 171 | .It Protocol |
172 | .It ProxyCommand | 172 | .It ProxyCommand |
173 | .It PubkeyAcceptedKeyTypes | ||
173 | .It PubkeyAuthentication | 174 | .It PubkeyAuthentication |
174 | .It RekeyLimit | 175 | .It RekeyLimit |
175 | .It RhostsRSAAuthentication | 176 | .It RhostsRSAAuthentication |
diff --git a/servconf.c b/servconf.c index 80465ecc1..018f251ca 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.275 2015/07/01 02:39:06 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.276 2015/07/10 06:21:53 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -108,6 +108,7 @@ initialize_server_options(ServerOptions *options) | |||
108 | options->hostbased_authentication = -1; | 108 | options->hostbased_authentication = -1; |
109 | options->hostbased_uses_name_from_packet_only = -1; | 109 | options->hostbased_uses_name_from_packet_only = -1; |
110 | options->hostbased_key_types = NULL; | 110 | options->hostbased_key_types = NULL; |
111 | options->hostkeyalgorithms = NULL; | ||
111 | options->rsa_authentication = -1; | 112 | options->rsa_authentication = -1; |
112 | options->pubkey_authentication = -1; | 113 | options->pubkey_authentication = -1; |
113 | options->pubkey_key_types = NULL; | 114 | options->pubkey_key_types = NULL; |
@@ -259,13 +260,15 @@ fill_default_server_options(ServerOptions *options) | |||
259 | if (options->hostbased_uses_name_from_packet_only == -1) | 260 | if (options->hostbased_uses_name_from_packet_only == -1) |
260 | options->hostbased_uses_name_from_packet_only = 0; | 261 | options->hostbased_uses_name_from_packet_only = 0; |
261 | if (options->hostbased_key_types == NULL) | 262 | if (options->hostbased_key_types == NULL) |
262 | options->hostbased_key_types = xstrdup("*"); | 263 | options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG); |
264 | if (options->hostkeyalgorithms == NULL) | ||
265 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
263 | if (options->rsa_authentication == -1) | 266 | if (options->rsa_authentication == -1) |
264 | options->rsa_authentication = 1; | 267 | options->rsa_authentication = 1; |
265 | if (options->pubkey_authentication == -1) | 268 | if (options->pubkey_authentication == -1) |
266 | options->pubkey_authentication = 1; | 269 | options->pubkey_authentication = 1; |
267 | if (options->pubkey_key_types == NULL) | 270 | if (options->pubkey_key_types == NULL) |
268 | options->pubkey_key_types = xstrdup("*"); | 271 | options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG); |
269 | if (options->kerberos_authentication == -1) | 272 | if (options->kerberos_authentication == -1) |
270 | options->kerberos_authentication = 0; | 273 | options->kerberos_authentication = 0; |
271 | if (options->kerberos_or_local_passwd == -1) | 274 | if (options->kerberos_or_local_passwd == -1) |
@@ -400,6 +403,7 @@ typedef enum { | |||
400 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, | 403 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, |
401 | sBanner, sUseDNS, sHostbasedAuthentication, | 404 | sBanner, sUseDNS, sHostbasedAuthentication, |
402 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 405 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
406 | sHostKeyAlgorithms, | ||
403 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 407 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
404 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 408 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
405 | sAcceptEnv, sPermitTunnel, | 409 | sAcceptEnv, sPermitTunnel, |
@@ -450,6 +454,7 @@ static struct { | |||
450 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, | 454 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
451 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, | 455 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, |
452 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, | 456 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, |
457 | { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, | ||
453 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, | 458 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, |
454 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, | 459 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
455 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, | 460 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, |
@@ -1183,6 +1188,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1183 | *charptr = xstrdup(arg); | 1188 | *charptr = xstrdup(arg); |
1184 | break; | 1189 | break; |
1185 | 1190 | ||
1191 | case sHostKeyAlgorithms: | ||
1192 | charptr = &options->hostkeyalgorithms; | ||
1193 | goto parse_keytypes; | ||
1194 | |||
1186 | case sRSAAuthentication: | 1195 | case sRSAAuthentication: |
1187 | intptr = &options->rsa_authentication; | 1196 | intptr = &options->rsa_authentication; |
1188 | goto parse_flag; | 1197 | goto parse_flag; |
@@ -2280,6 +2289,8 @@ dump_config(ServerOptions *o) | |||
2280 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); | 2289 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); |
2281 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? | 2290 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? |
2282 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); | 2291 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); |
2292 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | ||
2293 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | ||
2283 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | 2294 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? |
2284 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); | 2295 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); |
2285 | 2296 | ||
diff --git a/servconf.h b/servconf.h index 606d80c9d..f4137af7d 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -102,6 +102,7 @@ typedef struct { | |||
102 | int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ | 102 | int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ |
103 | int hostbased_uses_name_from_packet_only; /* experimental */ | 103 | int hostbased_uses_name_from_packet_only; /* experimental */ |
104 | char *hostbased_key_types; /* Key types allowed for hostbased */ | 104 | char *hostbased_key_types; /* Key types allowed for hostbased */ |
105 | char *hostkeyalgorithms; /* SSH2 server key types */ | ||
105 | int rsa_authentication; /* If true, permit RSA authentication. */ | 106 | int rsa_authentication; /* If true, permit RSA authentication. */ |
106 | int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ | 107 | int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ |
107 | char *pubkey_key_types; /* Key types allowed for public key */ | 108 | char *pubkey_key_types; /* Key types allowed for public key */ |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.358 2015/05/22 05:28:45 djm Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.359 2015/07/10 06:21:53 markus Exp $ |
37 | .Dd $Mdocdate: May 22 2015 $ | 37 | .Dd $Mdocdate: July 10 2015 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -470,6 +470,7 @@ For full details of the options listed below, and their possible values, see | |||
470 | .It Protocol | 470 | .It Protocol |
471 | .It ProxyCommand | 471 | .It ProxyCommand |
472 | .It ProxyUseFdpass | 472 | .It ProxyUseFdpass |
473 | .It PubkeyAcceptedKeyTypes | ||
473 | .It PubkeyAuthentication | 474 | .It PubkeyAuthentication |
474 | .It RekeyLimit | 475 | .It RekeyLimit |
475 | .It RemoteForward | 476 | .It RemoteForward |
diff --git a/ssh_config.5 b/ssh_config.5 index d29963c15..e51439849 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.212 2015/07/03 03:47:00 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $ |
37 | .Dd $Mdocdate: July 3 2015 $ | 37 | .Dd $Mdocdate: July 10 2015 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -781,9 +781,17 @@ is similar to | |||
781 | .It Cm HostbasedKeyTypes | 781 | .It Cm HostbasedKeyTypes |
782 | Specifies the key types that will be used for hostbased authentication | 782 | Specifies the key types that will be used for hostbased authentication |
783 | as a comma-separated pattern list. | 783 | as a comma-separated pattern list. |
784 | The default | 784 | The default for this option is: |
785 | .Dq * | 785 | .Bd -literal -offset 3n |
786 | will allow all key types. | 786 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
787 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
788 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
789 | ssh-ed25519-cert-v01@openssh.com, | ||
790 | ssh-rsa-cert-v01@openssh.com, | ||
791 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
792 | ssh-ed25519,ssh-rsa | ||
793 | .Ed | ||
794 | .Pp | ||
787 | The | 795 | The |
788 | .Fl Q | 796 | .Fl Q |
789 | option of | 797 | option of |
@@ -798,10 +806,9 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
798 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 806 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
799 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 807 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
800 | ssh-ed25519-cert-v01@openssh.com, | 808 | ssh-ed25519-cert-v01@openssh.com, |
801 | ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com, | 809 | ssh-rsa-cert-v01@openssh.com, |
802 | ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com, | ||
803 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 810 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
804 | ssh-ed25519,ssh-rsa,ssh-dss | 811 | ssh-ed25519,ssh-rsa |
805 | .Ed | 812 | .Ed |
806 | .Pp | 813 | .Pp |
807 | If hostkeys are known for the destination host then this default is modified | 814 | If hostkeys are known for the destination host then this default is modified |
@@ -1206,6 +1213,25 @@ will pass a connected file descriptor back to | |||
1206 | instead of continuing to execute and pass data. | 1213 | instead of continuing to execute and pass data. |
1207 | The default is | 1214 | The default is |
1208 | .Dq no . | 1215 | .Dq no . |
1216 | .It Cm PubkeyAcceptedKeyTypes | ||
1217 | Specifies the key types that will be used for public key authentication | ||
1218 | as a comma-separated pattern list. | ||
1219 | The default for this option is: | ||
1220 | .Bd -literal -offset 3n | ||
1221 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
1222 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
1223 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
1224 | ssh-ed25519-cert-v01@openssh.com, | ||
1225 | ssh-rsa-cert-v01@openssh.com, | ||
1226 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
1227 | ssh-ed25519,ssh-rsa | ||
1228 | .Ed | ||
1229 | .Pp | ||
1230 | The | ||
1231 | .Fl Q | ||
1232 | option of | ||
1233 | .Xr ssh 1 | ||
1234 | may be used to list supported key types. | ||
1209 | .It Cm PubkeyAuthentication | 1235 | .It Cm PubkeyAuthentication |
1210 | Specifies whether to try public key authentication. | 1236 | Specifies whether to try public key authentication. |
1211 | The argument to this keyword must be | 1237 | The argument to this keyword must be |
diff --git a/sshconnect2.c b/sshconnect2.c index fcaed6b01..34dbf9a77 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.225 2015/07/10 06:21:53 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -190,6 +190,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
191 | compat_pkalg_proposal(options.hostkeyalgorithms); | 191 | compat_pkalg_proposal(options.hostkeyalgorithms); |
192 | else { | 192 | else { |
193 | /* Enforce default */ | ||
194 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
193 | /* Prefer algorithms that we already have keys for */ | 195 | /* Prefer algorithms that we already have keys for */ |
194 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 196 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
195 | compat_pkalg_proposal( | 197 | compat_pkalg_proposal( |
@@ -1315,6 +1317,26 @@ pubkey_cleanup(Authctxt *authctxt) | |||
1315 | } | 1317 | } |
1316 | } | 1318 | } |
1317 | 1319 | ||
1320 | static int | ||
1321 | try_identity(Identity *id) | ||
1322 | { | ||
1323 | if (!id->key) | ||
1324 | return (0); | ||
1325 | if (match_pattern_list(sshkey_ssh_name(id->key), | ||
1326 | options.pubkey_key_types, 0) != 1) { | ||
1327 | debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", | ||
1328 | sshkey_ssh_name(id->key), id->filename); | ||
1329 | return (0); | ||
1330 | } | ||
1331 | if (key_type_plain(id->key->type) == KEY_RSA && | ||
1332 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1333 | debug("Skipped %s key %s for RSA/MD5 server", | ||
1334 | key_type(id->key), id->filename); | ||
1335 | return (0); | ||
1336 | } | ||
1337 | return (id->key->type != KEY_RSA1); | ||
1338 | } | ||
1339 | |||
1318 | int | 1340 | int |
1319 | userauth_pubkey(Authctxt *authctxt) | 1341 | userauth_pubkey(Authctxt *authctxt) |
1320 | { | 1342 | { |
@@ -1333,11 +1355,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
1333 | * private key instead | 1355 | * private key instead |
1334 | */ | 1356 | */ |
1335 | if (id->key != NULL) { | 1357 | if (id->key != NULL) { |
1336 | if (key_type_plain(id->key->type) == KEY_RSA && | 1358 | if (try_identity(id)) { |
1337 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1338 | debug("Skipped %s key %s for RSA/MD5 server", | ||
1339 | key_type(id->key), id->filename); | ||
1340 | } else if (id->key->type != KEY_RSA1) { | ||
1341 | debug("Offering %s public key: %s", | 1359 | debug("Offering %s public key: %s", |
1342 | key_type(id->key), id->filename); | 1360 | key_type(id->key), id->filename); |
1343 | sent = send_pubkey_test(authctxt, id); | 1361 | sent = send_pubkey_test(authctxt, id); |
@@ -1347,13 +1365,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
1347 | id->key = load_identity_file(id->filename, | 1365 | id->key = load_identity_file(id->filename, |
1348 | id->userprovided); | 1366 | id->userprovided); |
1349 | if (id->key != NULL) { | 1367 | if (id->key != NULL) { |
1350 | id->isprivate = 1; | 1368 | if (try_identity(id)) { |
1351 | if (key_type_plain(id->key->type) == KEY_RSA && | 1369 | id->isprivate = 1; |
1352 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1353 | debug("Skipped %s key %s for RSA/MD5 " | ||
1354 | "server", key_type(id->key), | ||
1355 | id->filename); | ||
1356 | } else { | ||
1357 | sent = sign_and_send_pubkey( | 1370 | sent = sign_and_send_pubkey( |
1358 | authctxt, id); | 1371 | authctxt, id); |
1359 | } | 1372 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.454 2015/07/10 06:21:53 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -95,6 +95,7 @@ | |||
95 | #include "log.h" | 95 | #include "log.h" |
96 | #include "buffer.h" | 96 | #include "buffer.h" |
97 | #include "misc.h" | 97 | #include "misc.h" |
98 | #include "match.h" | ||
98 | #include "servconf.h" | 99 | #include "servconf.h" |
99 | #include "uidswap.h" | 100 | #include "uidswap.h" |
100 | #include "compat.h" | 101 | #include "compat.h" |
@@ -799,6 +800,13 @@ list_hostkey_types(void) | |||
799 | key = sensitive_data.host_pubkeys[i]; | 800 | key = sensitive_data.host_pubkeys[i]; |
800 | if (key == NULL) | 801 | if (key == NULL) |
801 | continue; | 802 | continue; |
803 | /* Check that the key is accepted in HostkeyAlgorithms */ | ||
804 | if (match_pattern_list(sshkey_ssh_name(key), | ||
805 | options.hostkeyalgorithms, 0) != 1) { | ||
806 | debug3("%s: %s key not permitted by HostkeyAlgorithms", | ||
807 | __func__, sshkey_ssh_name(key)); | ||
808 | continue; | ||
809 | } | ||
802 | switch (key->type) { | 810 | switch (key->type) { |
803 | case KEY_RSA: | 811 | case KEY_RSA: |
804 | case KEY_DSA: | 812 | case KEY_DSA: |
diff --git a/sshd_config.5 b/sshd_config.5 index edd4cc9b9..b49e91910 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $ |
37 | .Dd $Mdocdate: July 3 2015 $ | 37 | .Dd $Mdocdate: July 10 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -640,9 +640,17 @@ The default is | |||
640 | .It Cm HostbasedAcceptedKeyTypes | 640 | .It Cm HostbasedAcceptedKeyTypes |
641 | Specifies the key types that will be accepted for hostbased authentication | 641 | Specifies the key types that will be accepted for hostbased authentication |
642 | as a comma-separated pattern list. | 642 | as a comma-separated pattern list. |
643 | The default | 643 | The default for this option is: |
644 | .Dq * | 644 | .Bd -literal -offset 3n |
645 | will allow all key types. | 645 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
646 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
647 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
648 | ssh-ed25519-cert-v01@openssh.com, | ||
649 | ssh-rsa-cert-v01@openssh.com, | ||
650 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
651 | ssh-ed25519,ssh-rsa | ||
652 | .Ed | ||
653 | .Pp | ||
646 | The | 654 | The |
647 | .Fl Q | 655 | .Fl Q |
648 | option of | 656 | option of |
@@ -694,9 +702,15 @@ for protocol version 1, and | |||
694 | and | 702 | and |
695 | .Pa /etc/ssh/ssh_host_rsa_key | 703 | .Pa /etc/ssh/ssh_host_rsa_key |
696 | for protocol version 2. | 704 | for protocol version 2. |
705 | .Pp | ||
697 | Note that | 706 | Note that |
698 | .Xr sshd 8 | 707 | .Xr sshd 8 |
699 | will refuse to use a file if it is group/world-accessible. | 708 | will refuse to use a file if it is group/world-accessible |
709 | and that the | ||
710 | .Cm HostKeyAlgorithms | ||
711 | option restricts which of the keys are actually used by | ||
712 | .Xr sshd 8 . | ||
713 | .Pp | ||
700 | It is possible to have multiple host key files. | 714 | It is possible to have multiple host key files. |
701 | .Dq rsa1 | 715 | .Dq rsa1 |
702 | keys are used for version 1 and | 716 | keys are used for version 1 and |
@@ -718,6 +732,26 @@ If | |||
718 | is specified, the location of the socket will be read from the | 732 | is specified, the location of the socket will be read from the |
719 | .Ev SSH_AUTH_SOCK | 733 | .Ev SSH_AUTH_SOCK |
720 | environment variable. | 734 | environment variable. |
735 | .It Cm HostKeyAlgorithms | ||
736 | Specifies the protocol version 2 host key algorithms | ||
737 | that the server offers. | ||
738 | The default for this option is: | ||
739 | .Bd -literal -offset 3n | ||
740 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
741 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
742 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
743 | ssh-ed25519-cert-v01@openssh.com, | ||
744 | ssh-rsa-cert-v01@openssh.com, | ||
745 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
746 | ssh-ed25519,ssh-rsa | ||
747 | .Ed | ||
748 | .Pp | ||
749 | The list of available key types may also be obtained using the | ||
750 | .Fl Q | ||
751 | option of | ||
752 | .Xr ssh 1 | ||
753 | with an argument of | ||
754 | .Dq key . | ||
721 | .It Cm IgnoreRhosts | 755 | .It Cm IgnoreRhosts |
722 | Specifies that | 756 | Specifies that |
723 | .Pa .rhosts | 757 | .Pa .rhosts |
@@ -1279,9 +1313,17 @@ is identical to | |||
1279 | .It Cm PubkeyAcceptedKeyTypes | 1313 | .It Cm PubkeyAcceptedKeyTypes |
1280 | Specifies the key types that will be accepted for public key authentication | 1314 | Specifies the key types that will be accepted for public key authentication |
1281 | as a comma-separated pattern list. | 1315 | as a comma-separated pattern list. |
1282 | The default | 1316 | The default for this option is: |
1283 | .Dq * | 1317 | .Bd -literal -offset 3n |
1284 | will allow all key types. | 1318 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
1319 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
1320 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
1321 | ssh-ed25519-cert-v01@openssh.com, | ||
1322 | ssh-rsa-cert-v01@openssh.com, | ||
1323 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
1324 | ssh-ed25519,ssh-rsa | ||
1325 | .Ed | ||
1326 | .Pp | ||
1285 | The | 1327 | The |
1286 | .Fl Q | 1328 | .Fl Q |
1287 | option of | 1329 | option of |