diff options
-rw-r--r-- | kex.c | 64 | ||||
-rw-r--r-- | kex.h | 4 | ||||
-rw-r--r-- | readconf.c | 25 | ||||
-rw-r--r-- | servconf.c | 24 | ||||
-rw-r--r-- | ssh.c | 35 | ||||
-rw-r--r-- | ssh_config.5 | 31 | ||||
-rw-r--r-- | sshconnect2.c | 33 | ||||
-rw-r--r-- | sshd.c | 29 | ||||
-rw-r--r-- | sshd_config.5 | 26 |
9 files changed, 187 insertions, 84 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.108 2015/07/29 08:34:54 djm Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.109 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -155,6 +155,68 @@ kex_names_valid(const char *names) | |||
155 | return 1; | 155 | return 1; |
156 | } | 156 | } |
157 | 157 | ||
158 | /* | ||
159 | * Concatenate algorithm names, avoiding duplicates in the process. | ||
160 | * Caller must free returned string. | ||
161 | */ | ||
162 | char * | ||
163 | kex_names_cat(const char *a, const char *b) | ||
164 | { | ||
165 | char *ret = NULL, *tmp = NULL, *cp, *p; | ||
166 | size_t len; | ||
167 | |||
168 | if (a == NULL || *a == '\0') | ||
169 | return NULL; | ||
170 | if (b == NULL || *b == '\0') | ||
171 | return strdup(a); | ||
172 | if (strlen(b) > 1024*1024) | ||
173 | return NULL; | ||
174 | len = strlen(a) + strlen(b) + 2; | ||
175 | if ((tmp = cp = strdup(b)) == NULL || | ||
176 | (ret = calloc(1, len)) == NULL) { | ||
177 | free(tmp); | ||
178 | return NULL; | ||
179 | } | ||
180 | strlcpy(ret, a, len); | ||
181 | for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { | ||
182 | if (match_list(ret, p, NULL) != NULL) | ||
183 | continue; /* Algorithm already present */ | ||
184 | if (strlcat(ret, ",", len) >= len || | ||
185 | strlcat(ret, p, len) >= len) { | ||
186 | free(tmp); | ||
187 | free(ret); | ||
188 | return NULL; /* Shouldn't happen */ | ||
189 | } | ||
190 | } | ||
191 | free(tmp); | ||
192 | return ret; | ||
193 | } | ||
194 | |||
195 | /* | ||
196 | * Assemble a list of algorithms from a default list and a string from a | ||
197 | * configuration file. The user-provided string may begin with '+' to | ||
198 | * indicate that it should be appended to the default. | ||
199 | */ | ||
200 | int | ||
201 | kex_assemble_names(const char *def, char **list) | ||
202 | { | ||
203 | char *ret; | ||
204 | |||
205 | if (list == NULL || *list == NULL || **list == '\0') { | ||
206 | *list = strdup(def); | ||
207 | return 0; | ||
208 | } | ||
209 | if (**list != '+') { | ||
210 | return 0; | ||
211 | } | ||
212 | |||
213 | if ((ret = kex_names_cat(def, *list + 1)) == NULL) | ||
214 | return SSH_ERR_ALLOC_FAIL; | ||
215 | free(*list); | ||
216 | *list = ret; | ||
217 | return 0; | ||
218 | } | ||
219 | |||
158 | /* put algorithm proposal into buffer */ | 220 | /* put algorithm proposal into buffer */ |
159 | int | 221 | int |
160 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) | 222 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.72 2015/07/29 04:43:06 djm Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.73 2015/07/30 00:01:34 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -160,6 +160,8 @@ struct kex { | |||
160 | 160 | ||
161 | int kex_names_valid(const char *); | 161 | int kex_names_valid(const char *); |
162 | char *kex_alg_list(char); | 162 | char *kex_alg_list(char); |
163 | char *kex_names_cat(const char *, const char *); | ||
164 | int kex_assemble_names(const char *, char **); | ||
163 | 165 | ||
164 | int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **); | 166 | int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **); |
165 | int kex_setup(struct ssh *, char *[PROPOSAL_MAX]); | 167 | int kex_setup(struct ssh *, char *[PROPOSAL_MAX]); |
diff --git a/readconf.c b/readconf.c index f1c860b9c..1d03bdf72 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.238 2015/07/10 06:21:53 markus Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1086,7 +1086,7 @@ parse_int: | |||
1086 | arg = strdelim(&s); | 1086 | arg = strdelim(&s); |
1087 | if (!arg || *arg == '\0') | 1087 | if (!arg || *arg == '\0') |
1088 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1088 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1089 | if (!ciphers_valid(arg)) | 1089 | if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) |
1090 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", | 1090 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", |
1091 | filename, linenum, arg ? arg : "<NONE>"); | 1091 | filename, linenum, arg ? arg : "<NONE>"); |
1092 | if (*activep && options->ciphers == NULL) | 1092 | if (*activep && options->ciphers == NULL) |
@@ -1097,7 +1097,7 @@ parse_int: | |||
1097 | arg = strdelim(&s); | 1097 | arg = strdelim(&s); |
1098 | if (!arg || *arg == '\0') | 1098 | if (!arg || *arg == '\0') |
1099 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1099 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1100 | if (!mac_valid(arg)) | 1100 | if (!mac_valid(*arg == '+' ? arg + 1 : arg)) |
1101 | fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", | 1101 | fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", |
1102 | filename, linenum, arg ? arg : "<NONE>"); | 1102 | filename, linenum, arg ? arg : "<NONE>"); |
1103 | if (*activep && options->macs == NULL) | 1103 | if (*activep && options->macs == NULL) |
@@ -1109,7 +1109,7 @@ parse_int: | |||
1109 | if (!arg || *arg == '\0') | 1109 | if (!arg || *arg == '\0') |
1110 | fatal("%.200s line %d: Missing argument.", | 1110 | fatal("%.200s line %d: Missing argument.", |
1111 | filename, linenum); | 1111 | filename, linenum); |
1112 | if (!kex_names_valid(arg)) | 1112 | if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) |
1113 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1113 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1114 | filename, linenum, arg ? arg : "<NONE>"); | 1114 | filename, linenum, arg ? arg : "<NONE>"); |
1115 | if (*activep && options->kex_algorithms == NULL) | 1115 | if (*activep && options->kex_algorithms == NULL) |
@@ -1123,7 +1123,7 @@ parse_keytypes: | |||
1123 | if (!arg || *arg == '\0') | 1123 | if (!arg || *arg == '\0') |
1124 | fatal("%.200s line %d: Missing argument.", | 1124 | fatal("%.200s line %d: Missing argument.", |
1125 | filename, linenum); | 1125 | filename, linenum); |
1126 | if (!sshkey_names_valid2(arg, 1)) | 1126 | if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) |
1127 | fatal("%s line %d: Bad key types '%s'.", | 1127 | fatal("%s line %d: Bad key types '%s'.", |
1128 | filename, linenum, arg ? arg : "<NONE>"); | 1128 | filename, linenum, arg ? arg : "<NONE>"); |
1129 | if (*activep && *charptr == NULL) | 1129 | if (*activep && *charptr == NULL) |
@@ -1762,9 +1762,6 @@ fill_default_options(Options * options) | |||
1762 | /* Selected in ssh_login(). */ | 1762 | /* Selected in ssh_login(). */ |
1763 | if (options->cipher == -1) | 1763 | if (options->cipher == -1) |
1764 | options->cipher = SSH_CIPHER_NOT_SET; | 1764 | options->cipher = SSH_CIPHER_NOT_SET; |
1765 | /* options->ciphers, default set in myproposals.h */ | ||
1766 | /* options->macs, default set in myproposals.h */ | ||
1767 | /* options->kex_algorithms, default set in myproposals.h */ | ||
1768 | /* options->hostkeyalgorithms, default set in myproposals.h */ | 1765 | /* options->hostkeyalgorithms, default set in myproposals.h */ |
1769 | if (options->protocol == SSH_PROTO_UNKNOWN) | 1766 | if (options->protocol == SSH_PROTO_UNKNOWN) |
1770 | options->protocol = SSH_PROTO_2; | 1767 | options->protocol = SSH_PROTO_2; |
@@ -1858,10 +1855,14 @@ fill_default_options(Options * options) | |||
1858 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 1855 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
1859 | if (options->update_hostkeys == -1) | 1856 | if (options->update_hostkeys == -1) |
1860 | options->update_hostkeys = 0; | 1857 | options->update_hostkeys = 0; |
1861 | if (options->hostbased_key_types == NULL) | 1858 | if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || |
1862 | options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG); | 1859 | kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || |
1863 | if (options->pubkey_key_types == NULL) | 1860 | kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || |
1864 | options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG); | 1861 | kex_assemble_names(KEX_DEFAULT_PK_ALG, |
1862 | &options->hostbased_key_types) != 0 || | ||
1863 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
1864 | &options->pubkey_key_types) != 0) | ||
1865 | fatal("%s: kex_assemble_names failed", __func__); | ||
1865 | 1866 | ||
1866 | #define CLEAR_ON_NONE(v) \ | 1867 | #define CLEAR_ON_NONE(v) \ |
1867 | do { \ | 1868 | do { \ |
diff --git a/servconf.c b/servconf.c index 018f251ca..7506ad21f 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.276 2015/07/10 06:21:53 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.277 2015/07/30 00:01:34 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -259,16 +259,12 @@ fill_default_server_options(ServerOptions *options) | |||
259 | options->hostbased_authentication = 0; | 259 | options->hostbased_authentication = 0; |
260 | if (options->hostbased_uses_name_from_packet_only == -1) | 260 | if (options->hostbased_uses_name_from_packet_only == -1) |
261 | options->hostbased_uses_name_from_packet_only = 0; | 261 | options->hostbased_uses_name_from_packet_only = 0; |
262 | if (options->hostbased_key_types == NULL) | ||
263 | options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG); | ||
264 | if (options->hostkeyalgorithms == NULL) | 262 | if (options->hostkeyalgorithms == NULL) |
265 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | 263 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); |
266 | if (options->rsa_authentication == -1) | 264 | if (options->rsa_authentication == -1) |
267 | options->rsa_authentication = 1; | 265 | options->rsa_authentication = 1; |
268 | if (options->pubkey_authentication == -1) | 266 | if (options->pubkey_authentication == -1) |
269 | options->pubkey_authentication = 1; | 267 | options->pubkey_authentication = 1; |
270 | if (options->pubkey_key_types == NULL) | ||
271 | options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG); | ||
272 | if (options->kerberos_authentication == -1) | 268 | if (options->kerberos_authentication == -1) |
273 | options->kerberos_authentication = 0; | 269 | options->kerberos_authentication = 0; |
274 | if (options->kerberos_or_local_passwd == -1) | 270 | if (options->kerberos_or_local_passwd == -1) |
@@ -345,6 +341,16 @@ fill_default_server_options(ServerOptions *options) | |||
345 | options->fwd_opts.streamlocal_bind_unlink = 0; | 341 | options->fwd_opts.streamlocal_bind_unlink = 0; |
346 | if (options->fingerprint_hash == -1) | 342 | if (options->fingerprint_hash == -1) |
347 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 343 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
344 | |||
345 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || | ||
346 | kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || | ||
347 | kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || | ||
348 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
349 | &options->hostbased_key_types) != 0 || | ||
350 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
351 | &options->pubkey_key_types) != 0) | ||
352 | fatal("%s: kex_assemble_names failed", __func__); | ||
353 | |||
348 | /* Turn privilege separation on by default */ | 354 | /* Turn privilege separation on by default */ |
349 | if (use_privsep == -1) | 355 | if (use_privsep == -1) |
350 | use_privsep = PRIVSEP_NOSANDBOX; | 356 | use_privsep = PRIVSEP_NOSANDBOX; |
@@ -1181,7 +1187,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1181 | if (!arg || *arg == '\0') | 1187 | if (!arg || *arg == '\0') |
1182 | fatal("%s line %d: Missing argument.", | 1188 | fatal("%s line %d: Missing argument.", |
1183 | filename, linenum); | 1189 | filename, linenum); |
1184 | if (!sshkey_names_valid2(arg, 1)) | 1190 | if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) |
1185 | fatal("%s line %d: Bad key types '%s'.", | 1191 | fatal("%s line %d: Bad key types '%s'.", |
1186 | filename, linenum, arg ? arg : "<NONE>"); | 1192 | filename, linenum, arg ? arg : "<NONE>"); |
1187 | if (*activep && *charptr == NULL) | 1193 | if (*activep && *charptr == NULL) |
@@ -1434,7 +1440,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1434 | arg = strdelim(&cp); | 1440 | arg = strdelim(&cp); |
1435 | if (!arg || *arg == '\0') | 1441 | if (!arg || *arg == '\0') |
1436 | fatal("%s line %d: Missing argument.", filename, linenum); | 1442 | fatal("%s line %d: Missing argument.", filename, linenum); |
1437 | if (!ciphers_valid(arg)) | 1443 | if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) |
1438 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", | 1444 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", |
1439 | filename, linenum, arg ? arg : "<NONE>"); | 1445 | filename, linenum, arg ? arg : "<NONE>"); |
1440 | if (options->ciphers == NULL) | 1446 | if (options->ciphers == NULL) |
@@ -1445,7 +1451,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1445 | arg = strdelim(&cp); | 1451 | arg = strdelim(&cp); |
1446 | if (!arg || *arg == '\0') | 1452 | if (!arg || *arg == '\0') |
1447 | fatal("%s line %d: Missing argument.", filename, linenum); | 1453 | fatal("%s line %d: Missing argument.", filename, linenum); |
1448 | if (!mac_valid(arg)) | 1454 | if (!mac_valid(*arg == '+' ? arg + 1 : arg)) |
1449 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", | 1455 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", |
1450 | filename, linenum, arg ? arg : "<NONE>"); | 1456 | filename, linenum, arg ? arg : "<NONE>"); |
1451 | if (options->macs == NULL) | 1457 | if (options->macs == NULL) |
@@ -1457,7 +1463,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1457 | if (!arg || *arg == '\0') | 1463 | if (!arg || *arg == '\0') |
1458 | fatal("%s line %d: Missing argument.", | 1464 | fatal("%s line %d: Missing argument.", |
1459 | filename, linenum); | 1465 | filename, linenum); |
1460 | if (!kex_names_valid(arg)) | 1466 | if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) |
1461 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1467 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1462 | filename, linenum, arg ? arg : "<NONE>"); | 1468 | filename, linenum, arg ? arg : "<NONE>"); |
1463 | if (options->kex_algorithms == NULL) | 1469 | if (options->kex_algorithms == NULL) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.419 2015/07/20 18:42:35 millert Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -108,6 +108,7 @@ | |||
108 | #include "roaming.h" | 108 | #include "roaming.h" |
109 | #include "version.h" | 109 | #include "version.h" |
110 | #include "ssherr.h" | 110 | #include "ssherr.h" |
111 | #include "myproposal.h" | ||
111 | 112 | ||
112 | #ifdef ENABLE_PKCS11 | 113 | #ifdef ENABLE_PKCS11 |
113 | #include "ssh-pkcs11.h" | 114 | #include "ssh-pkcs11.h" |
@@ -794,26 +795,26 @@ main(int ac, char **av) | |||
794 | } | 795 | } |
795 | break; | 796 | break; |
796 | case 'c': | 797 | case 'c': |
797 | if (ciphers_valid(optarg)) { | 798 | if (ciphers_valid(*optarg == '+' ? |
799 | optarg + 1 : optarg)) { | ||
798 | /* SSH2 only */ | 800 | /* SSH2 only */ |
799 | options.ciphers = xstrdup(optarg); | 801 | options.ciphers = xstrdup(optarg); |
800 | options.cipher = SSH_CIPHER_INVALID; | 802 | options.cipher = SSH_CIPHER_INVALID; |
801 | } else { | 803 | break; |
802 | /* SSH1 only */ | 804 | } |
803 | options.cipher = cipher_number(optarg); | 805 | /* SSH1 only */ |
804 | if (options.cipher == -1) { | 806 | options.cipher = cipher_number(optarg); |
805 | fprintf(stderr, | 807 | if (options.cipher == -1) { |
806 | "Unknown cipher type '%s'\n", | 808 | fprintf(stderr, "Unknown cipher type '%s'\n", |
807 | optarg); | 809 | optarg); |
808 | exit(255); | 810 | exit(255); |
809 | } | ||
810 | if (options.cipher == SSH_CIPHER_3DES) | ||
811 | options.ciphers = "3des-cbc"; | ||
812 | else if (options.cipher == SSH_CIPHER_BLOWFISH) | ||
813 | options.ciphers = "blowfish-cbc"; | ||
814 | else | ||
815 | options.ciphers = (char *)-1; | ||
816 | } | 811 | } |
812 | if (options.cipher == SSH_CIPHER_3DES) | ||
813 | options.ciphers = xstrdup("3des-cbc"); | ||
814 | else if (options.cipher == SSH_CIPHER_BLOWFISH) | ||
815 | options.ciphers = xstrdup("blowfish-cbc"); | ||
816 | else | ||
817 | options.ciphers = xstrdup(KEX_CLIENT_ENCRYPT); | ||
817 | break; | 818 | break; |
818 | case 'm': | 819 | case 'm': |
819 | if (mac_valid(optarg)) | 820 | if (mac_valid(optarg)) |
diff --git a/ssh_config.5 b/ssh_config.5 index e51439849..5b0975f87 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $ |
37 | .Dd $Mdocdate: July 10 2015 $ | 37 | .Dd $Mdocdate: July 30 2015 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -373,6 +373,11 @@ The default is | |||
373 | Specifies the ciphers allowed for protocol version 2 | 373 | Specifies the ciphers allowed for protocol version 2 |
374 | in order of preference. | 374 | in order of preference. |
375 | Multiple ciphers must be comma-separated. | 375 | Multiple ciphers must be comma-separated. |
376 | If the specified value begins with a | ||
377 | .Sq + | ||
378 | character, then the specified ciphers will be appended to the default set | ||
379 | instead of replacing them. | ||
380 | .Pp | ||
376 | The supported ciphers are: | 381 | The supported ciphers are: |
377 | .Pp | 382 | .Pp |
378 | .Bl -item -compact -offset indent | 383 | .Bl -item -compact -offset indent |
@@ -781,6 +786,10 @@ is similar to | |||
781 | .It Cm HostbasedKeyTypes | 786 | .It Cm HostbasedKeyTypes |
782 | Specifies the key types that will be used for hostbased authentication | 787 | Specifies the key types that will be used for hostbased authentication |
783 | as a comma-separated pattern list. | 788 | as a comma-separated pattern list. |
789 | Alternately if the specified value begins with a | ||
790 | .Sq + | ||
791 | character, then the specified key types will be appended to the default set | ||
792 | instead of replacing them. | ||
784 | The default for this option is: | 793 | The default for this option is: |
785 | .Bd -literal -offset 3n | 794 | .Bd -literal -offset 3n |
786 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 795 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -800,6 +809,10 @@ may be used to list supported key types. | |||
800 | .It Cm HostKeyAlgorithms | 809 | .It Cm HostKeyAlgorithms |
801 | Specifies the protocol version 2 host key algorithms | 810 | Specifies the protocol version 2 host key algorithms |
802 | that the client wants to use in order of preference. | 811 | that the client wants to use in order of preference. |
812 | Alternately if the specified value begins with a | ||
813 | .Sq + | ||
814 | character, then the specified key types will be appended to the default set | ||
815 | instead of replacing them. | ||
803 | The default for this option is: | 816 | The default for this option is: |
804 | .Bd -literal -offset 3n | 817 | .Bd -literal -offset 3n |
805 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 818 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -981,6 +994,10 @@ and | |||
981 | .It Cm KexAlgorithms | 994 | .It Cm KexAlgorithms |
982 | Specifies the available KEX (Key Exchange) algorithms. | 995 | Specifies the available KEX (Key Exchange) algorithms. |
983 | Multiple algorithms must be comma-separated. | 996 | Multiple algorithms must be comma-separated. |
997 | Alternately if the specified value begins with a | ||
998 | .Sq + | ||
999 | character, then the specified methods will be appended to the default set | ||
1000 | instead of replacing them. | ||
984 | The default is: | 1001 | The default is: |
985 | .Bd -literal -offset indent | 1002 | .Bd -literal -offset indent |
986 | curve25519-sha256@libssh.org, | 1003 | curve25519-sha256@libssh.org, |
@@ -1069,10 +1086,16 @@ in order of preference. | |||
1069 | The MAC algorithm is used in protocol version 2 | 1086 | The MAC algorithm is used in protocol version 2 |
1070 | for data integrity protection. | 1087 | for data integrity protection. |
1071 | Multiple algorithms must be comma-separated. | 1088 | Multiple algorithms must be comma-separated. |
1089 | If the specified value begins with a | ||
1090 | .Sq + | ||
1091 | character, then the specified algorithms will be appended to the default set | ||
1092 | instead of replacing them. | ||
1093 | .Pp | ||
1072 | The algorithms that contain | 1094 | The algorithms that contain |
1073 | .Dq -etm | 1095 | .Dq -etm |
1074 | calculate the MAC after encryption (encrypt-then-mac). | 1096 | calculate the MAC after encryption (encrypt-then-mac). |
1075 | These are considered safer and their use recommended. | 1097 | These are considered safer and their use recommended. |
1098 | .Pp | ||
1076 | The default is: | 1099 | The default is: |
1077 | .Bd -literal -offset indent | 1100 | .Bd -literal -offset indent |
1078 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 1101 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
@@ -1216,6 +1239,10 @@ The default is | |||
1216 | .It Cm PubkeyAcceptedKeyTypes | 1239 | .It Cm PubkeyAcceptedKeyTypes |
1217 | Specifies the key types that will be used for public key authentication | 1240 | Specifies the key types that will be used for public key authentication |
1218 | as a comma-separated pattern list. | 1241 | as a comma-separated pattern list. |
1242 | Alternately if the specified value begins with a | ||
1243 | .Sq + | ||
1244 | character, then the key types after it will be appended to the default | ||
1245 | instead of replacing it. | ||
1219 | The default for this option is: | 1246 | The default for this option is: |
1220 | .Bd -literal -offset 3n | 1247 | .Bd -literal -offset 3n |
1221 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1248 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
diff --git a/sshconnect2.c b/sshconnect2.c index 34dbf9a77..775103185 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.225 2015/07/10 06:21:53 markus Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
163 | xxx_host = host; | 163 | xxx_host = host; |
164 | xxx_hostaddr = hostaddr; | 164 | xxx_hostaddr = hostaddr; |
165 | 165 | ||
166 | if (options.ciphers == (char *)-1) { | 166 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
167 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 167 | options.kex_algorithms); |
168 | options.ciphers = NULL; | ||
169 | } | ||
170 | if (options.ciphers != NULL) { | ||
171 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
172 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
173 | } | ||
174 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 168 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
175 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); | 169 | compat_cipher_proposal(options.ciphers); |
176 | myproposal[PROPOSAL_ENC_ALGS_STOC] = | 170 | myproposal[PROPOSAL_ENC_ALGS_STOC] = |
177 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 171 | compat_cipher_proposal(options.ciphers); |
178 | if (options.compression) { | 172 | if (options.compression) { |
179 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 173 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
180 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; | 174 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
@@ -182,14 +176,15 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
182 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 176 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
183 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; | 177 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
184 | } | 178 | } |
185 | if (options.macs != NULL) { | 179 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
186 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 180 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
187 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | 181 | if (options.hostkeyalgorithms != NULL) { |
188 | } | 182 | if (kex_assemble_names(KEX_DEFAULT_PK_ALG, |
189 | if (options.hostkeyalgorithms != NULL) | 183 | &options.hostkeyalgorithms) != 0) |
184 | fatal("%s: kex_assemble_namelist", __func__); | ||
190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 185 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
191 | compat_pkalg_proposal(options.hostkeyalgorithms); | 186 | compat_pkalg_proposal(options.hostkeyalgorithms); |
192 | else { | 187 | } else { |
193 | /* Enforce default */ | 188 | /* Enforce default */ |
194 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | 189 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); |
195 | /* Prefer algorithms that we already have keys for */ | 190 | /* Prefer algorithms that we already have keys for */ |
@@ -197,10 +192,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
197 | compat_pkalg_proposal( | 192 | compat_pkalg_proposal( |
198 | order_hostkeyalgs(host, hostaddr, port)); | 193 | order_hostkeyalgs(host, hostaddr, port)); |
199 | } | 194 | } |
200 | if (options.kex_algorithms != NULL) | ||
201 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
202 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
203 | myproposal[PROPOSAL_KEX_ALGS]); | ||
204 | 195 | ||
205 | if (options.rekey_limit || options.rekey_interval) | 196 | if (options.rekey_limit || options.rekey_interval) |
206 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 197 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.456 2015/07/17 02:47:45 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2539,19 +2539,15 @@ do_ssh2_kex(void) | |||
2539 | struct kex *kex; | 2539 | struct kex *kex; |
2540 | int r; | 2540 | int r; |
2541 | 2541 | ||
2542 | if (options.ciphers != NULL) { | 2542 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2543 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 2543 | options.kex_algorithms); |
2544 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | 2544 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( |
2545 | } | 2545 | options.ciphers); |
2546 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 2546 | myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal( |
2547 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); | 2547 | options.ciphers); |
2548 | myproposal[PROPOSAL_ENC_ALGS_STOC] = | 2548 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
2549 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 2549 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
2550 | 2550 | ||
2551 | if (options.macs != NULL) { | ||
2552 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | ||
2553 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | ||
2554 | } | ||
2555 | if (options.compression == COMP_NONE) { | 2551 | if (options.compression == COMP_NONE) { |
2556 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 2552 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
2557 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; | 2553 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; |
@@ -2559,11 +2555,6 @@ do_ssh2_kex(void) | |||
2559 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 2555 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
2560 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; | 2556 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; |
2561 | } | 2557 | } |
2562 | if (options.kex_algorithms != NULL) | ||
2563 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
2564 | |||
2565 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
2566 | myproposal[PROPOSAL_KEX_ALGS]); | ||
2567 | 2558 | ||
2568 | if (options.rekey_limit || options.rekey_interval) | 2559 | if (options.rekey_limit || options.rekey_interval) |
2569 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2560 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
diff --git a/sshd_config.5 b/sshd_config.5 index 0614531c5..2808576a9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.207 2015/07/20 00:30:01 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.208 2015/07/30 00:01:34 djm Exp $ |
37 | .Dd $Mdocdate: July 20 2015 $ | 37 | .Dd $Mdocdate: July 30 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -434,6 +434,11 @@ The default is not to | |||
434 | .It Cm Ciphers | 434 | .It Cm Ciphers |
435 | Specifies the ciphers allowed for protocol version 2. | 435 | Specifies the ciphers allowed for protocol version 2. |
436 | Multiple ciphers must be comma-separated. | 436 | Multiple ciphers must be comma-separated. |
437 | If the specified value begins with a | ||
438 | .Sq + | ||
439 | character, then the specified ciphers will be appended to the default set | ||
440 | instead of replacing them. | ||
441 | .Pp | ||
437 | The supported ciphers are: | 442 | The supported ciphers are: |
438 | .Pp | 443 | .Pp |
439 | .Bl -item -compact -offset indent | 444 | .Bl -item -compact -offset indent |
@@ -640,6 +645,10 @@ The default is | |||
640 | .It Cm HostbasedAcceptedKeyTypes | 645 | .It Cm HostbasedAcceptedKeyTypes |
641 | Specifies the key types that will be accepted for hostbased authentication | 646 | Specifies the key types that will be accepted for hostbased authentication |
642 | as a comma-separated pattern list. | 647 | as a comma-separated pattern list. |
648 | Alternately if the specified value begins with a | ||
649 | .Sq + | ||
650 | character, then the specified key types will be appended to the default set | ||
651 | instead of replacing them. | ||
643 | The default for this option is: | 652 | The default for this option is: |
644 | .Bd -literal -offset 3n | 653 | .Bd -literal -offset 3n |
645 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 654 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -855,6 +864,10 @@ The default is | |||
855 | .It Cm KexAlgorithms | 864 | .It Cm KexAlgorithms |
856 | Specifies the available KEX (Key Exchange) algorithms. | 865 | Specifies the available KEX (Key Exchange) algorithms. |
857 | Multiple algorithms must be comma-separated. | 866 | Multiple algorithms must be comma-separated. |
867 | Alternately if the specified value begins with a | ||
868 | .Sq + | ||
869 | character, then the specified methods will be appended to the default set | ||
870 | instead of replacing them. | ||
858 | The supported algorithms are: | 871 | The supported algorithms are: |
859 | .Pp | 872 | .Pp |
860 | .Bl -item -compact -offset indent | 873 | .Bl -item -compact -offset indent |
@@ -953,6 +966,11 @@ Specifies the available MAC (message authentication code) algorithms. | |||
953 | The MAC algorithm is used in protocol version 2 | 966 | The MAC algorithm is used in protocol version 2 |
954 | for data integrity protection. | 967 | for data integrity protection. |
955 | Multiple algorithms must be comma-separated. | 968 | Multiple algorithms must be comma-separated. |
969 | If the specified value begins with a | ||
970 | .Sq + | ||
971 | character, then the specified algorithms will be appended to the default set | ||
972 | instead of replacing them. | ||
973 | .Pp | ||
956 | The algorithms that contain | 974 | The algorithms that contain |
957 | .Dq -etm | 975 | .Dq -etm |
958 | calculate the MAC after encryption (encrypt-then-mac). | 976 | calculate the MAC after encryption (encrypt-then-mac). |
@@ -1313,6 +1331,10 @@ is identical to | |||
1313 | .It Cm PubkeyAcceptedKeyTypes | 1331 | .It Cm PubkeyAcceptedKeyTypes |
1314 | Specifies the key types that will be accepted for public key authentication | 1332 | Specifies the key types that will be accepted for public key authentication |
1315 | as a comma-separated pattern list. | 1333 | as a comma-separated pattern list. |
1334 | Alternately if the specified value begins with a | ||
1335 | .Sq + | ||
1336 | character, then the specified key types will be appended to the default set | ||
1337 | instead of replacing them. | ||
1316 | The default for this option is: | 1338 | The default for this option is: |
1317 | .Bd -literal -offset 3n | 1339 | .Bd -literal -offset 3n |
1318 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1340 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |