diff options
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 160 |
1 files changed, 122 insertions, 38 deletions
diff --git a/readconf.c b/readconf.c index 9812b8d98..1b9494d7c 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.326 2020/02/06 22:46:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,9 +35,9 @@ | |||
35 | #endif | 35 | #endif |
36 | #include <pwd.h> | 36 | #include <pwd.h> |
37 | #include <signal.h> | 37 | #include <signal.h> |
38 | #include <stdarg.h> | ||
39 | #include <stdio.h> | 38 | #include <stdio.h> |
40 | #include <string.h> | 39 | #include <string.h> |
40 | #include <stdarg.h> | ||
41 | #include <unistd.h> | 41 | #include <unistd.h> |
42 | #ifdef USE_SYSTEM_GLOB | 42 | #ifdef USE_SYSTEM_GLOB |
43 | # include <glob.h> | 43 | # include <glob.h> |
@@ -122,8 +122,6 @@ | |||
122 | ForwardAgent no | 122 | ForwardAgent no |
123 | ForwardX11 no | 123 | ForwardX11 no |
124 | PasswordAuthentication yes | 124 | PasswordAuthentication yes |
125 | RSAAuthentication yes | ||
126 | RhostsRSAAuthentication yes | ||
127 | StrictHostKeyChecking yes | 125 | StrictHostKeyChecking yes |
128 | TcpKeepAlive no | 126 | TcpKeepAlive no |
129 | IdentityFile ~/.ssh/identity | 127 | IdentityFile ~/.ssh/identity |
@@ -147,15 +145,15 @@ typedef enum { | |||
147 | oHost, oMatch, oInclude, | 145 | oHost, oMatch, oInclude, |
148 | oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, | 146 | oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, |
149 | oGatewayPorts, oExitOnForwardFailure, | 147 | oGatewayPorts, oExitOnForwardFailure, |
150 | oPasswordAuthentication, oRSAAuthentication, | 148 | oPasswordAuthentication, |
151 | oChallengeResponseAuthentication, oXAuthLocation, | 149 | oChallengeResponseAuthentication, oXAuthLocation, |
152 | oIdentityFile, oHostname, oPort, oCipher, oRemoteForward, oLocalForward, | 150 | oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, |
153 | oCertificateFile, oAddKeysToAgent, oIdentityAgent, | 151 | oCertificateFile, oAddKeysToAgent, oIdentityAgent, |
154 | oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, | 152 | oUser, oEscapeChar, oProxyCommand, |
155 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, | 153 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, |
156 | oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, | 154 | oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, |
157 | oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, | 155 | oTCPKeepAlive, oNumberOfPasswordPrompts, |
158 | oUsePrivilegedPort, oLogFacility, oLogLevel, oCiphers, oMacs, | 156 | oLogFacility, oLogLevel, oCiphers, oMacs, |
159 | oPubkeyAuthentication, | 157 | oPubkeyAuthentication, |
160 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 158 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
161 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 159 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
@@ -177,6 +175,7 @@ typedef enum { | |||
177 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 175 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
178 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 176 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
179 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, | 177 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
178 | oSecurityKeyProvider, | ||
180 | oProtocolKeepAlives, oSetupTimeOut, | 179 | oProtocolKeepAlives, oSetupTimeOut, |
181 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 180 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
182 | } OpCodes; | 181 | } OpCodes; |
@@ -203,6 +202,9 @@ static struct { | |||
203 | { "afstokenpassing", oUnsupported }, | 202 | { "afstokenpassing", oUnsupported }, |
204 | { "kerberosauthentication", oUnsupported }, | 203 | { "kerberosauthentication", oUnsupported }, |
205 | { "kerberostgtpassing", oUnsupported }, | 204 | { "kerberostgtpassing", oUnsupported }, |
205 | { "rsaauthentication", oUnsupported }, | ||
206 | { "rhostsrsaauthentication", oUnsupported }, | ||
207 | { "compressionlevel", oUnsupported }, | ||
206 | 208 | ||
207 | /* Sometimes-unsupported options */ | 209 | /* Sometimes-unsupported options */ |
208 | #if defined(GSSAPI) | 210 | #if defined(GSSAPI) |
@@ -231,9 +233,6 @@ static struct { | |||
231 | { "smartcarddevice", oUnsupported }, | 233 | { "smartcarddevice", oUnsupported }, |
232 | { "pkcs11provider", oUnsupported }, | 234 | { "pkcs11provider", oUnsupported }, |
233 | #endif | 235 | #endif |
234 | { "rsaauthentication", oUnsupported }, | ||
235 | { "rhostsrsaauthentication", oUnsupported }, | ||
236 | { "compressionlevel", oUnsupported }, | ||
237 | 236 | ||
238 | { "forwardagent", oForwardAgent }, | 237 | { "forwardagent", oForwardAgent }, |
239 | { "forwardx11", oForwardX11 }, | 238 | { "forwardx11", oForwardX11 }, |
@@ -327,12 +326,23 @@ static struct { | |||
327 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, | 326 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
328 | { "ignoreunknown", oIgnoreUnknown }, | 327 | { "ignoreunknown", oIgnoreUnknown }, |
329 | { "proxyjump", oProxyJump }, | 328 | { "proxyjump", oProxyJump }, |
329 | { "securitykeyprovider", oSecurityKeyProvider }, | ||
330 | { "protocolkeepalives", oProtocolKeepAlives }, | 330 | { "protocolkeepalives", oProtocolKeepAlives }, |
331 | { "setuptimeout", oSetupTimeOut }, | 331 | { "setuptimeout", oSetupTimeOut }, |
332 | 332 | ||
333 | { NULL, oBadOption } | 333 | { NULL, oBadOption } |
334 | }; | 334 | }; |
335 | 335 | ||
336 | static char *kex_default_pk_alg_filtered; | ||
337 | |||
338 | const char * | ||
339 | kex_default_pk_alg(void) | ||
340 | { | ||
341 | if (kex_default_pk_alg_filtered == NULL) | ||
342 | fatal("kex_default_pk_alg not initialized."); | ||
343 | return kex_default_pk_alg_filtered; | ||
344 | } | ||
345 | |||
336 | /* | 346 | /* |
337 | * Adds a local TCP/IP port forward to options. Never returns if there is an | 347 | * Adds a local TCP/IP port forward to options. Never returns if there is an |
338 | * error. | 348 | * error. |
@@ -537,7 +547,7 @@ execute_in_shell(const char *cmd) | |||
537 | execv(argv[0], argv); | 547 | execv(argv[0], argv); |
538 | error("Unable to execute '%.100s': %s", cmd, strerror(errno)); | 548 | error("Unable to execute '%.100s': %s", cmd, strerror(errno)); |
539 | /* Die with signal to make this error apparent to parent. */ | 549 | /* Die with signal to make this error apparent to parent. */ |
540 | signal(SIGTERM, SIG_DFL); | 550 | ssh_signal(SIGTERM, SIG_DFL); |
541 | kill(getpid(), SIGTERM); | 551 | kill(getpid(), SIGTERM); |
542 | _exit(1); | 552 | _exit(1); |
543 | } | 553 | } |
@@ -846,6 +856,13 @@ static const struct multistate multistate_canonicalizehostname[] = { | |||
846 | { "always", SSH_CANONICALISE_ALWAYS }, | 856 | { "always", SSH_CANONICALISE_ALWAYS }, |
847 | { NULL, -1 } | 857 | { NULL, -1 } |
848 | }; | 858 | }; |
859 | static const struct multistate multistate_compression[] = { | ||
860 | #ifdef WITH_ZLIB | ||
861 | { "yes", COMP_ZLIB }, | ||
862 | #endif | ||
863 | { "no", COMP_NONE }, | ||
864 | { NULL, -1 } | ||
865 | }; | ||
849 | 866 | ||
850 | /* | 867 | /* |
851 | * Processes a single option line as used in the configuration files. This | 868 | * Processes a single option line as used in the configuration files. This |
@@ -938,6 +955,34 @@ parse_time: | |||
938 | 955 | ||
939 | case oForwardAgent: | 956 | case oForwardAgent: |
940 | intptr = &options->forward_agent; | 957 | intptr = &options->forward_agent; |
958 | |||
959 | arg = strdelim(&s); | ||
960 | if (!arg || *arg == '\0') | ||
961 | fatal("%s line %d: missing argument.", | ||
962 | filename, linenum); | ||
963 | |||
964 | value = -1; | ||
965 | multistate_ptr = multistate_flag; | ||
966 | for (i = 0; multistate_ptr[i].key != NULL; i++) { | ||
967 | if (strcasecmp(arg, multistate_ptr[i].key) == 0) { | ||
968 | value = multistate_ptr[i].value; | ||
969 | break; | ||
970 | } | ||
971 | } | ||
972 | if (value != -1) { | ||
973 | if (*activep && *intptr == -1) | ||
974 | *intptr = value; | ||
975 | break; | ||
976 | } | ||
977 | /* ForwardAgent wasn't 'yes' or 'no', assume a path */ | ||
978 | if (*activep && *intptr == -1) | ||
979 | *intptr = 1; | ||
980 | |||
981 | charptr = &options->forward_agent_sock_path; | ||
982 | goto parse_agent_path; | ||
983 | |||
984 | case oForwardX11: | ||
985 | intptr = &options->forward_x11; | ||
941 | parse_flag: | 986 | parse_flag: |
942 | multistate_ptr = multistate_flag; | 987 | multistate_ptr = multistate_flag; |
943 | parse_multistate: | 988 | parse_multistate: |
@@ -959,10 +1004,6 @@ parse_time: | |||
959 | *intptr = value; | 1004 | *intptr = value; |
960 | break; | 1005 | break; |
961 | 1006 | ||
962 | case oForwardX11: | ||
963 | intptr = &options->forward_x11; | ||
964 | goto parse_flag; | ||
965 | |||
966 | case oForwardX11Trusted: | 1007 | case oForwardX11Trusted: |
967 | intptr = &options->forward_x11_trusted; | 1008 | intptr = &options->forward_x11_trusted; |
968 | goto parse_flag; | 1009 | goto parse_flag; |
@@ -1063,7 +1104,8 @@ parse_time: | |||
1063 | 1104 | ||
1064 | case oCompression: | 1105 | case oCompression: |
1065 | intptr = &options->compression; | 1106 | intptr = &options->compression; |
1066 | goto parse_flag; | 1107 | multistate_ptr = multistate_compression; |
1108 | goto parse_multistate; | ||
1067 | 1109 | ||
1068 | case oTCPKeepAlive: | 1110 | case oTCPKeepAlive: |
1069 | intptr = &options->tcp_keep_alive; | 1111 | intptr = &options->tcp_keep_alive; |
@@ -1197,6 +1239,10 @@ parse_char_array: | |||
1197 | charptr = &options->pkcs11_provider; | 1239 | charptr = &options->pkcs11_provider; |
1198 | goto parse_string; | 1240 | goto parse_string; |
1199 | 1241 | ||
1242 | case oSecurityKeyProvider: | ||
1243 | charptr = &options->sk_provider; | ||
1244 | goto parse_string; | ||
1245 | |||
1200 | case oProxyCommand: | 1246 | case oProxyCommand: |
1201 | charptr = &options->proxy_command; | 1247 | charptr = &options->proxy_command; |
1202 | /* Ignore ProxyCommand if ProxyJump already specified */ | 1248 | /* Ignore ProxyCommand if ProxyJump already specified */ |
@@ -1606,12 +1652,12 @@ parse_keytypes: | |||
1606 | "files",filename, linenum, arg2); | 1652 | "files",filename, linenum, arg2); |
1607 | free(arg2); | 1653 | free(arg2); |
1608 | continue; | 1654 | continue; |
1609 | } else if (r != 0 || gl.gl_pathc < 0) | 1655 | } else if (r != 0) |
1610 | fatal("%.200s line %d: glob failed for %s.", | 1656 | fatal("%.200s line %d: glob failed for %s.", |
1611 | filename, linenum, arg2); | 1657 | filename, linenum, arg2); |
1612 | free(arg2); | 1658 | free(arg2); |
1613 | oactive = *activep; | 1659 | oactive = *activep; |
1614 | for (i = 0; i < (u_int)gl.gl_pathc; i++) { | 1660 | for (i = 0; i < gl.gl_pathc; i++) { |
1615 | debug3("%.200s line %d: Including file %s " | 1661 | debug3("%.200s line %d: Including file %s " |
1616 | "depth %d%s", filename, linenum, | 1662 | "depth %d%s", filename, linenum, |
1617 | gl.gl_pathv[i], depth, | 1663 | gl.gl_pathv[i], depth, |
@@ -1785,6 +1831,7 @@ parse_keytypes: | |||
1785 | if (!arg || *arg == '\0') | 1831 | if (!arg || *arg == '\0') |
1786 | fatal("%.200s line %d: Missing argument.", | 1832 | fatal("%.200s line %d: Missing argument.", |
1787 | filename, linenum); | 1833 | filename, linenum); |
1834 | parse_agent_path: | ||
1788 | /* Extra validation if the string represents an env var. */ | 1835 | /* Extra validation if the string represents an env var. */ |
1789 | if (arg[0] == '$' && !valid_env_name(arg + 1)) { | 1836 | if (arg[0] == '$' && !valid_env_name(arg + 1)) { |
1790 | fatal("%.200s line %d: Invalid environment name %s.", | 1837 | fatal("%.200s line %d: Invalid environment name %s.", |
@@ -1901,6 +1948,7 @@ initialize_options(Options * options) | |||
1901 | { | 1948 | { |
1902 | memset(options, 'X', sizeof(*options)); | 1949 | memset(options, 'X', sizeof(*options)); |
1903 | options->forward_agent = -1; | 1950 | options->forward_agent = -1; |
1951 | options->forward_agent_sock_path = NULL; | ||
1904 | options->forward_x11 = -1; | 1952 | options->forward_x11 = -1; |
1905 | options->forward_x11_trusted = -1; | 1953 | options->forward_x11_trusted = -1; |
1906 | options->forward_x11_timeout = -1; | 1954 | options->forward_x11_timeout = -1; |
@@ -1964,6 +2012,7 @@ initialize_options(Options * options) | |||
1964 | options->bind_address = NULL; | 2012 | options->bind_address = NULL; |
1965 | options->bind_interface = NULL; | 2013 | options->bind_interface = NULL; |
1966 | options->pkcs11_provider = NULL; | 2014 | options->pkcs11_provider = NULL; |
2015 | options->sk_provider = NULL; | ||
1967 | options->enable_ssh_keysign = - 1; | 2016 | options->enable_ssh_keysign = - 1; |
1968 | options->no_host_authentication_for_localhost = - 1; | 2017 | options->no_host_authentication_for_localhost = - 1; |
1969 | options->identities_only = - 1; | 2018 | options->identities_only = - 1; |
@@ -2030,6 +2079,7 @@ void | |||
2030 | fill_default_options(Options * options) | 2079 | fill_default_options(Options * options) |
2031 | { | 2080 | { |
2032 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 2081 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
2082 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
2033 | int r; | 2083 | int r; |
2034 | 2084 | ||
2035 | if (options->forward_agent == -1) | 2085 | if (options->forward_agent == -1) |
@@ -2111,9 +2161,13 @@ fill_default_options(Options * options) | |||
2111 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); | 2161 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); |
2112 | #ifdef OPENSSL_HAS_ECC | 2162 | #ifdef OPENSSL_HAS_ECC |
2113 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); | 2163 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); |
2164 | add_identity_file(options, "~/", | ||
2165 | _PATH_SSH_CLIENT_ID_ECDSA_SK, 0); | ||
2114 | #endif | 2166 | #endif |
2115 | add_identity_file(options, "~/", | 2167 | add_identity_file(options, "~/", |
2116 | _PATH_SSH_CLIENT_ID_ED25519, 0); | 2168 | _PATH_SSH_CLIENT_ID_ED25519, 0); |
2169 | add_identity_file(options, "~/", | ||
2170 | _PATH_SSH_CLIENT_ID_ED25519_SK, 0); | ||
2117 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); | 2171 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); |
2118 | } | 2172 | } |
2119 | if (options->escape_char == -1) | 2173 | if (options->escape_char == -1) |
@@ -2124,6 +2178,8 @@ fill_default_options(Options * options) | |||
2124 | options->system_hostfiles[options->num_system_hostfiles++] = | 2178 | options->system_hostfiles[options->num_system_hostfiles++] = |
2125 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); | 2179 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); |
2126 | } | 2180 | } |
2181 | if (options->update_hostkeys == -1) | ||
2182 | options->update_hostkeys = SSH_UPDATE_HOSTKEYS_NO; | ||
2127 | if (options->num_user_hostfiles == 0) { | 2183 | if (options->num_user_hostfiles == 0) { |
2128 | options->user_hostfiles[options->num_user_hostfiles++] = | 2184 | options->user_hostfiles[options->num_user_hostfiles++] = |
2129 | xstrdup(_PATH_SSH_USER_HOSTFILE); | 2185 | xstrdup(_PATH_SSH_USER_HOSTFILE); |
@@ -2189,8 +2245,13 @@ fill_default_options(Options * options) | |||
2189 | options->canonicalize_hostname = SSH_CANONICALISE_NO; | 2245 | options->canonicalize_hostname = SSH_CANONICALISE_NO; |
2190 | if (options->fingerprint_hash == -1) | 2246 | if (options->fingerprint_hash == -1) |
2191 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 2247 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
2192 | if (options->update_hostkeys == -1) | 2248 | #ifdef ENABLE_SK_INTERNAL |
2193 | options->update_hostkeys = 0; | 2249 | if (options->sk_provider == NULL) |
2250 | options->sk_provider = xstrdup("internal"); | ||
2251 | #else | ||
2252 | if (options->sk_provider == NULL) | ||
2253 | options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); | ||
2254 | #endif | ||
2194 | 2255 | ||
2195 | /* Expand KEX name lists */ | 2256 | /* Expand KEX name lists */ |
2196 | all_cipher = cipher_alg_list(',', 0); | 2257 | all_cipher = cipher_alg_list(',', 0); |
@@ -2198,24 +2259,35 @@ fill_default_options(Options * options) | |||
2198 | all_kex = kex_alg_list(','); | 2259 | all_kex = kex_alg_list(','); |
2199 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2260 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2200 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 2261 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
2262 | /* remove unsupported algos from default lists */ | ||
2263 | def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); | ||
2264 | def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); | ||
2265 | def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); | ||
2266 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
2267 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
2201 | #define ASSEMBLE(what, defaults, all) \ | 2268 | #define ASSEMBLE(what, defaults, all) \ |
2202 | do { \ | 2269 | do { \ |
2203 | if ((r = kex_assemble_names(&options->what, \ | 2270 | if ((r = kex_assemble_names(&options->what, \ |
2204 | defaults, all)) != 0) \ | 2271 | defaults, all)) != 0) \ |
2205 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 2272 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
2206 | } while (0) | 2273 | } while (0) |
2207 | ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); | 2274 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
2208 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2275 | ASSEMBLE(macs, def_mac, all_mac); |
2209 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2276 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
2210 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2277 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
2211 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2278 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
2212 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2279 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
2213 | #undef ASSEMBLE | 2280 | #undef ASSEMBLE |
2214 | free(all_cipher); | 2281 | free(all_cipher); |
2215 | free(all_mac); | 2282 | free(all_mac); |
2216 | free(all_kex); | 2283 | free(all_kex); |
2217 | free(all_key); | 2284 | free(all_key); |
2218 | free(all_sig); | 2285 | free(all_sig); |
2286 | free(def_cipher); | ||
2287 | free(def_mac); | ||
2288 | free(def_kex); | ||
2289 | kex_default_pk_alg_filtered = def_key; /* save for later use */ | ||
2290 | free(def_sig); | ||
2219 | 2291 | ||
2220 | #define CLEAR_ON_NONE(v) \ | 2292 | #define CLEAR_ON_NONE(v) \ |
2221 | do { \ | 2293 | do { \ |
@@ -2230,6 +2302,7 @@ fill_default_options(Options * options) | |||
2230 | CLEAR_ON_NONE(options->control_path); | 2302 | CLEAR_ON_NONE(options->control_path); |
2231 | CLEAR_ON_NONE(options->revoked_host_keys); | 2303 | CLEAR_ON_NONE(options->revoked_host_keys); |
2232 | CLEAR_ON_NONE(options->pkcs11_provider); | 2304 | CLEAR_ON_NONE(options->pkcs11_provider); |
2305 | CLEAR_ON_NONE(options->sk_provider); | ||
2233 | if (options->jump_host != NULL && | 2306 | if (options->jump_host != NULL && |
2234 | strcmp(options->jump_host, "none") == 0 && | 2307 | strcmp(options->jump_host, "none") == 0 && |
2235 | options->jump_port == 0 && options->jump_user == NULL) { | 2308 | options->jump_port == 0 && options->jump_user == NULL) { |
@@ -2663,14 +2736,19 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds) | |||
2663 | void | 2736 | void |
2664 | dump_client_config(Options *o, const char *host) | 2737 | dump_client_config(Options *o, const char *host) |
2665 | { | 2738 | { |
2666 | int i; | 2739 | int i, r; |
2667 | char buf[8], *all_key; | 2740 | char buf[8], *all_key; |
2668 | 2741 | ||
2669 | /* This is normally prepared in ssh_kex2 */ | 2742 | /* |
2743 | * Expand HostKeyAlgorithms name lists. This isn't handled in | ||
2744 | * fill_default_options() like the other algorithm lists because | ||
2745 | * the host key algorithms are by default dynamically chosen based | ||
2746 | * on the host's keys found in known_hosts. | ||
2747 | */ | ||
2670 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2748 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2671 | if (kex_assemble_names( &o->hostkeyalgorithms, | 2749 | if ((r = kex_assemble_names(&o->hostkeyalgorithms, kex_default_pk_alg(), |
2672 | KEX_DEFAULT_PK_ALG, all_key) != 0) | 2750 | all_key)) != 0) |
2673 | fatal("%s: kex_assemble_names failed", __func__); | 2751 | fatal("%s: expand HostKeyAlgorithms: %s", __func__, ssh_err(r)); |
2674 | free(all_key); | 2752 | free(all_key); |
2675 | 2753 | ||
2676 | /* Most interesting options first: user, host, port */ | 2754 | /* Most interesting options first: user, host, port */ |
@@ -2692,7 +2770,6 @@ dump_client_config(Options *o, const char *host) | |||
2692 | dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); | 2770 | dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); |
2693 | dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); | 2771 | dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); |
2694 | dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); | 2772 | dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); |
2695 | dump_cfg_fmtint(oForwardAgent, o->forward_agent); | ||
2696 | dump_cfg_fmtint(oForwardX11, o->forward_x11); | 2773 | dump_cfg_fmtint(oForwardX11, o->forward_x11); |
2697 | dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); | 2774 | dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); |
2698 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 2775 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
@@ -2736,7 +2813,7 @@ dump_client_config(Options *o, const char *host) | |||
2736 | /* String options */ | 2813 | /* String options */ |
2737 | dump_cfg_string(oBindAddress, o->bind_address); | 2814 | dump_cfg_string(oBindAddress, o->bind_address); |
2738 | dump_cfg_string(oBindInterface, o->bind_interface); | 2815 | dump_cfg_string(oBindInterface, o->bind_interface); |
2739 | dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); | 2816 | dump_cfg_string(oCiphers, o->ciphers); |
2740 | dump_cfg_string(oControlPath, o->control_path); | 2817 | dump_cfg_string(oControlPath, o->control_path); |
2741 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); | 2818 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); |
2742 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); | 2819 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); |
@@ -2744,15 +2821,16 @@ dump_client_config(Options *o, const char *host) | |||
2744 | dump_cfg_string(oIdentityAgent, o->identity_agent); | 2821 | dump_cfg_string(oIdentityAgent, o->identity_agent); |
2745 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | 2822 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); |
2746 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | 2823 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); |
2747 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | 2824 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms); |
2748 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2825 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms); |
2749 | dump_cfg_string(oLocalCommand, o->local_command); | 2826 | dump_cfg_string(oLocalCommand, o->local_command); |
2750 | dump_cfg_string(oRemoteCommand, o->remote_command); | 2827 | dump_cfg_string(oRemoteCommand, o->remote_command); |
2751 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); | 2828 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
2752 | dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); | 2829 | dump_cfg_string(oMacs, o->macs); |
2753 | #ifdef ENABLE_PKCS11 | 2830 | #ifdef ENABLE_PKCS11 |
2754 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2831 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
2755 | #endif | 2832 | #endif |
2833 | dump_cfg_string(oSecurityKeyProvider, o->sk_provider); | ||
2756 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); | 2834 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); |
2757 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); | 2835 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
2758 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); | 2836 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); |
@@ -2774,6 +2852,12 @@ dump_client_config(Options *o, const char *host) | |||
2774 | 2852 | ||
2775 | /* Special cases */ | 2853 | /* Special cases */ |
2776 | 2854 | ||
2855 | /* oForwardAgent */ | ||
2856 | if (o->forward_agent_sock_path == NULL) | ||
2857 | dump_cfg_fmtint(oForwardAgent, o->forward_agent); | ||
2858 | else | ||
2859 | dump_cfg_string(oForwardAgent, o->forward_agent_sock_path); | ||
2860 | |||
2777 | /* oConnectTimeout */ | 2861 | /* oConnectTimeout */ |
2778 | if (o->connection_timeout == -1) | 2862 | if (o->connection_timeout == -1) |
2779 | printf("connecttimeout none\n"); | 2863 | printf("connecttimeout none\n"); |