diff options
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 160 |
1 files changed, 122 insertions, 38 deletions
diff --git a/readconf.c b/readconf.c index f78b4d6fe..f3cac6b3a 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.326 2020/02/06 22:46:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,9 +35,9 @@ | |||
35 | #endif | 35 | #endif |
36 | #include <pwd.h> | 36 | #include <pwd.h> |
37 | #include <signal.h> | 37 | #include <signal.h> |
38 | #include <stdarg.h> | ||
39 | #include <stdio.h> | 38 | #include <stdio.h> |
40 | #include <string.h> | 39 | #include <string.h> |
40 | #include <stdarg.h> | ||
41 | #include <unistd.h> | 41 | #include <unistd.h> |
42 | #ifdef USE_SYSTEM_GLOB | 42 | #ifdef USE_SYSTEM_GLOB |
43 | # include <glob.h> | 43 | # include <glob.h> |
@@ -121,8 +121,6 @@ | |||
121 | ForwardAgent no | 121 | ForwardAgent no |
122 | ForwardX11 no | 122 | ForwardX11 no |
123 | PasswordAuthentication yes | 123 | PasswordAuthentication yes |
124 | RSAAuthentication yes | ||
125 | RhostsRSAAuthentication yes | ||
126 | StrictHostKeyChecking yes | 124 | StrictHostKeyChecking yes |
127 | TcpKeepAlive no | 125 | TcpKeepAlive no |
128 | IdentityFile ~/.ssh/identity | 126 | IdentityFile ~/.ssh/identity |
@@ -146,15 +144,15 @@ typedef enum { | |||
146 | oHost, oMatch, oInclude, | 144 | oHost, oMatch, oInclude, |
147 | oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, | 145 | oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, |
148 | oGatewayPorts, oExitOnForwardFailure, | 146 | oGatewayPorts, oExitOnForwardFailure, |
149 | oPasswordAuthentication, oRSAAuthentication, | 147 | oPasswordAuthentication, |
150 | oChallengeResponseAuthentication, oXAuthLocation, | 148 | oChallengeResponseAuthentication, oXAuthLocation, |
151 | oIdentityFile, oHostname, oPort, oCipher, oRemoteForward, oLocalForward, | 149 | oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, |
152 | oCertificateFile, oAddKeysToAgent, oIdentityAgent, | 150 | oCertificateFile, oAddKeysToAgent, oIdentityAgent, |
153 | oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, | 151 | oUser, oEscapeChar, oProxyCommand, |
154 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, | 152 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, |
155 | oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, | 153 | oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, |
156 | oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, | 154 | oTCPKeepAlive, oNumberOfPasswordPrompts, |
157 | oUsePrivilegedPort, oLogFacility, oLogLevel, oCiphers, oMacs, | 155 | oLogFacility, oLogLevel, oCiphers, oMacs, |
158 | oPubkeyAuthentication, | 156 | oPubkeyAuthentication, |
159 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 157 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
160 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 158 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
@@ -174,6 +172,7 @@ typedef enum { | |||
174 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | 172 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
175 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 173 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
176 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, | 174 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
175 | oSecurityKeyProvider, | ||
177 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 176 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
178 | } OpCodes; | 177 | } OpCodes; |
179 | 178 | ||
@@ -198,6 +197,9 @@ static struct { | |||
198 | { "afstokenpassing", oUnsupported }, | 197 | { "afstokenpassing", oUnsupported }, |
199 | { "kerberosauthentication", oUnsupported }, | 198 | { "kerberosauthentication", oUnsupported }, |
200 | { "kerberostgtpassing", oUnsupported }, | 199 | { "kerberostgtpassing", oUnsupported }, |
200 | { "rsaauthentication", oUnsupported }, | ||
201 | { "rhostsrsaauthentication", oUnsupported }, | ||
202 | { "compressionlevel", oUnsupported }, | ||
201 | 203 | ||
202 | /* Sometimes-unsupported options */ | 204 | /* Sometimes-unsupported options */ |
203 | #if defined(GSSAPI) | 205 | #if defined(GSSAPI) |
@@ -214,9 +216,6 @@ static struct { | |||
214 | { "smartcarddevice", oUnsupported }, | 216 | { "smartcarddevice", oUnsupported }, |
215 | { "pkcs11provider", oUnsupported }, | 217 | { "pkcs11provider", oUnsupported }, |
216 | #endif | 218 | #endif |
217 | { "rsaauthentication", oUnsupported }, | ||
218 | { "rhostsrsaauthentication", oUnsupported }, | ||
219 | { "compressionlevel", oUnsupported }, | ||
220 | 219 | ||
221 | { "forwardagent", oForwardAgent }, | 220 | { "forwardagent", oForwardAgent }, |
222 | { "forwardx11", oForwardX11 }, | 221 | { "forwardx11", oForwardX11 }, |
@@ -310,10 +309,21 @@ static struct { | |||
310 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, | 309 | { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
311 | { "ignoreunknown", oIgnoreUnknown }, | 310 | { "ignoreunknown", oIgnoreUnknown }, |
312 | { "proxyjump", oProxyJump }, | 311 | { "proxyjump", oProxyJump }, |
312 | { "securitykeyprovider", oSecurityKeyProvider }, | ||
313 | 313 | ||
314 | { NULL, oBadOption } | 314 | { NULL, oBadOption } |
315 | }; | 315 | }; |
316 | 316 | ||
317 | static char *kex_default_pk_alg_filtered; | ||
318 | |||
319 | const char * | ||
320 | kex_default_pk_alg(void) | ||
321 | { | ||
322 | if (kex_default_pk_alg_filtered == NULL) | ||
323 | fatal("kex_default_pk_alg not initialized."); | ||
324 | return kex_default_pk_alg_filtered; | ||
325 | } | ||
326 | |||
317 | /* | 327 | /* |
318 | * Adds a local TCP/IP port forward to options. Never returns if there is an | 328 | * Adds a local TCP/IP port forward to options. Never returns if there is an |
319 | * error. | 329 | * error. |
@@ -518,7 +528,7 @@ execute_in_shell(const char *cmd) | |||
518 | execv(argv[0], argv); | 528 | execv(argv[0], argv); |
519 | error("Unable to execute '%.100s': %s", cmd, strerror(errno)); | 529 | error("Unable to execute '%.100s': %s", cmd, strerror(errno)); |
520 | /* Die with signal to make this error apparent to parent. */ | 530 | /* Die with signal to make this error apparent to parent. */ |
521 | signal(SIGTERM, SIG_DFL); | 531 | ssh_signal(SIGTERM, SIG_DFL); |
522 | kill(getpid(), SIGTERM); | 532 | kill(getpid(), SIGTERM); |
523 | _exit(1); | 533 | _exit(1); |
524 | } | 534 | } |
@@ -827,6 +837,13 @@ static const struct multistate multistate_canonicalizehostname[] = { | |||
827 | { "always", SSH_CANONICALISE_ALWAYS }, | 837 | { "always", SSH_CANONICALISE_ALWAYS }, |
828 | { NULL, -1 } | 838 | { NULL, -1 } |
829 | }; | 839 | }; |
840 | static const struct multistate multistate_compression[] = { | ||
841 | #ifdef WITH_ZLIB | ||
842 | { "yes", COMP_ZLIB }, | ||
843 | #endif | ||
844 | { "no", COMP_NONE }, | ||
845 | { NULL, -1 } | ||
846 | }; | ||
830 | 847 | ||
831 | /* | 848 | /* |
832 | * Processes a single option line as used in the configuration files. This | 849 | * Processes a single option line as used in the configuration files. This |
@@ -919,6 +936,34 @@ parse_time: | |||
919 | 936 | ||
920 | case oForwardAgent: | 937 | case oForwardAgent: |
921 | intptr = &options->forward_agent; | 938 | intptr = &options->forward_agent; |
939 | |||
940 | arg = strdelim(&s); | ||
941 | if (!arg || *arg == '\0') | ||
942 | fatal("%s line %d: missing argument.", | ||
943 | filename, linenum); | ||
944 | |||
945 | value = -1; | ||
946 | multistate_ptr = multistate_flag; | ||
947 | for (i = 0; multistate_ptr[i].key != NULL; i++) { | ||
948 | if (strcasecmp(arg, multistate_ptr[i].key) == 0) { | ||
949 | value = multistate_ptr[i].value; | ||
950 | break; | ||
951 | } | ||
952 | } | ||
953 | if (value != -1) { | ||
954 | if (*activep && *intptr == -1) | ||
955 | *intptr = value; | ||
956 | break; | ||
957 | } | ||
958 | /* ForwardAgent wasn't 'yes' or 'no', assume a path */ | ||
959 | if (*activep && *intptr == -1) | ||
960 | *intptr = 1; | ||
961 | |||
962 | charptr = &options->forward_agent_sock_path; | ||
963 | goto parse_agent_path; | ||
964 | |||
965 | case oForwardX11: | ||
966 | intptr = &options->forward_x11; | ||
922 | parse_flag: | 967 | parse_flag: |
923 | multistate_ptr = multistate_flag; | 968 | multistate_ptr = multistate_flag; |
924 | parse_multistate: | 969 | parse_multistate: |
@@ -940,10 +985,6 @@ parse_time: | |||
940 | *intptr = value; | 985 | *intptr = value; |
941 | break; | 986 | break; |
942 | 987 | ||
943 | case oForwardX11: | ||
944 | intptr = &options->forward_x11; | ||
945 | goto parse_flag; | ||
946 | |||
947 | case oForwardX11Trusted: | 988 | case oForwardX11Trusted: |
948 | intptr = &options->forward_x11_trusted; | 989 | intptr = &options->forward_x11_trusted; |
949 | goto parse_flag; | 990 | goto parse_flag; |
@@ -1012,7 +1053,8 @@ parse_time: | |||
1012 | 1053 | ||
1013 | case oCompression: | 1054 | case oCompression: |
1014 | intptr = &options->compression; | 1055 | intptr = &options->compression; |
1015 | goto parse_flag; | 1056 | multistate_ptr = multistate_compression; |
1057 | goto parse_multistate; | ||
1016 | 1058 | ||
1017 | case oTCPKeepAlive: | 1059 | case oTCPKeepAlive: |
1018 | intptr = &options->tcp_keep_alive; | 1060 | intptr = &options->tcp_keep_alive; |
@@ -1146,6 +1188,10 @@ parse_char_array: | |||
1146 | charptr = &options->pkcs11_provider; | 1188 | charptr = &options->pkcs11_provider; |
1147 | goto parse_string; | 1189 | goto parse_string; |
1148 | 1190 | ||
1191 | case oSecurityKeyProvider: | ||
1192 | charptr = &options->sk_provider; | ||
1193 | goto parse_string; | ||
1194 | |||
1149 | case oProxyCommand: | 1195 | case oProxyCommand: |
1150 | charptr = &options->proxy_command; | 1196 | charptr = &options->proxy_command; |
1151 | /* Ignore ProxyCommand if ProxyJump already specified */ | 1197 | /* Ignore ProxyCommand if ProxyJump already specified */ |
@@ -1553,12 +1599,12 @@ parse_keytypes: | |||
1553 | "files",filename, linenum, arg2); | 1599 | "files",filename, linenum, arg2); |
1554 | free(arg2); | 1600 | free(arg2); |
1555 | continue; | 1601 | continue; |
1556 | } else if (r != 0 || gl.gl_pathc < 0) | 1602 | } else if (r != 0) |
1557 | fatal("%.200s line %d: glob failed for %s.", | 1603 | fatal("%.200s line %d: glob failed for %s.", |
1558 | filename, linenum, arg2); | 1604 | filename, linenum, arg2); |
1559 | free(arg2); | 1605 | free(arg2); |
1560 | oactive = *activep; | 1606 | oactive = *activep; |
1561 | for (i = 0; i < (u_int)gl.gl_pathc; i++) { | 1607 | for (i = 0; i < gl.gl_pathc; i++) { |
1562 | debug3("%.200s line %d: Including file %s " | 1608 | debug3("%.200s line %d: Including file %s " |
1563 | "depth %d%s", filename, linenum, | 1609 | "depth %d%s", filename, linenum, |
1564 | gl.gl_pathv[i], depth, | 1610 | gl.gl_pathv[i], depth, |
@@ -1732,6 +1778,7 @@ parse_keytypes: | |||
1732 | if (!arg || *arg == '\0') | 1778 | if (!arg || *arg == '\0') |
1733 | fatal("%.200s line %d: Missing argument.", | 1779 | fatal("%.200s line %d: Missing argument.", |
1734 | filename, linenum); | 1780 | filename, linenum); |
1781 | parse_agent_path: | ||
1735 | /* Extra validation if the string represents an env var. */ | 1782 | /* Extra validation if the string represents an env var. */ |
1736 | if (arg[0] == '$' && !valid_env_name(arg + 1)) { | 1783 | if (arg[0] == '$' && !valid_env_name(arg + 1)) { |
1737 | fatal("%.200s line %d: Invalid environment name %s.", | 1784 | fatal("%.200s line %d: Invalid environment name %s.", |
@@ -1849,6 +1896,7 @@ initialize_options(Options * options) | |||
1849 | { | 1896 | { |
1850 | memset(options, 'X', sizeof(*options)); | 1897 | memset(options, 'X', sizeof(*options)); |
1851 | options->forward_agent = -1; | 1898 | options->forward_agent = -1; |
1899 | options->forward_agent_sock_path = NULL; | ||
1852 | options->forward_x11 = -1; | 1900 | options->forward_x11 = -1; |
1853 | options->forward_x11_trusted = -1; | 1901 | options->forward_x11_trusted = -1; |
1854 | options->forward_x11_timeout = -1; | 1902 | options->forward_x11_timeout = -1; |
@@ -1906,6 +1954,7 @@ initialize_options(Options * options) | |||
1906 | options->bind_address = NULL; | 1954 | options->bind_address = NULL; |
1907 | options->bind_interface = NULL; | 1955 | options->bind_interface = NULL; |
1908 | options->pkcs11_provider = NULL; | 1956 | options->pkcs11_provider = NULL; |
1957 | options->sk_provider = NULL; | ||
1909 | options->enable_ssh_keysign = - 1; | 1958 | options->enable_ssh_keysign = - 1; |
1910 | options->no_host_authentication_for_localhost = - 1; | 1959 | options->no_host_authentication_for_localhost = - 1; |
1911 | options->identities_only = - 1; | 1960 | options->identities_only = - 1; |
@@ -1972,6 +2021,7 @@ void | |||
1972 | fill_default_options(Options * options) | 2021 | fill_default_options(Options * options) |
1973 | { | 2022 | { |
1974 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 2023 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
2024 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
1975 | int r; | 2025 | int r; |
1976 | 2026 | ||
1977 | if (options->forward_agent == -1) | 2027 | if (options->forward_agent == -1) |
@@ -2043,9 +2093,13 @@ fill_default_options(Options * options) | |||
2043 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); | 2093 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); |
2044 | #ifdef OPENSSL_HAS_ECC | 2094 | #ifdef OPENSSL_HAS_ECC |
2045 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); | 2095 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0); |
2096 | add_identity_file(options, "~/", | ||
2097 | _PATH_SSH_CLIENT_ID_ECDSA_SK, 0); | ||
2046 | #endif | 2098 | #endif |
2047 | add_identity_file(options, "~/", | 2099 | add_identity_file(options, "~/", |
2048 | _PATH_SSH_CLIENT_ID_ED25519, 0); | 2100 | _PATH_SSH_CLIENT_ID_ED25519, 0); |
2101 | add_identity_file(options, "~/", | ||
2102 | _PATH_SSH_CLIENT_ID_ED25519_SK, 0); | ||
2049 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); | 2103 | add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); |
2050 | } | 2104 | } |
2051 | if (options->escape_char == -1) | 2105 | if (options->escape_char == -1) |
@@ -2056,6 +2110,8 @@ fill_default_options(Options * options) | |||
2056 | options->system_hostfiles[options->num_system_hostfiles++] = | 2110 | options->system_hostfiles[options->num_system_hostfiles++] = |
2057 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); | 2111 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); |
2058 | } | 2112 | } |
2113 | if (options->update_hostkeys == -1) | ||
2114 | options->update_hostkeys = SSH_UPDATE_HOSTKEYS_NO; | ||
2059 | if (options->num_user_hostfiles == 0) { | 2115 | if (options->num_user_hostfiles == 0) { |
2060 | options->user_hostfiles[options->num_user_hostfiles++] = | 2116 | options->user_hostfiles[options->num_user_hostfiles++] = |
2061 | xstrdup(_PATH_SSH_USER_HOSTFILE); | 2117 | xstrdup(_PATH_SSH_USER_HOSTFILE); |
@@ -2116,8 +2172,13 @@ fill_default_options(Options * options) | |||
2116 | options->canonicalize_hostname = SSH_CANONICALISE_NO; | 2172 | options->canonicalize_hostname = SSH_CANONICALISE_NO; |
2117 | if (options->fingerprint_hash == -1) | 2173 | if (options->fingerprint_hash == -1) |
2118 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 2174 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
2119 | if (options->update_hostkeys == -1) | 2175 | #ifdef ENABLE_SK_INTERNAL |
2120 | options->update_hostkeys = 0; | 2176 | if (options->sk_provider == NULL) |
2177 | options->sk_provider = xstrdup("internal"); | ||
2178 | #else | ||
2179 | if (options->sk_provider == NULL) | ||
2180 | options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); | ||
2181 | #endif | ||
2121 | 2182 | ||
2122 | /* Expand KEX name lists */ | 2183 | /* Expand KEX name lists */ |
2123 | all_cipher = cipher_alg_list(',', 0); | 2184 | all_cipher = cipher_alg_list(',', 0); |
@@ -2125,24 +2186,35 @@ fill_default_options(Options * options) | |||
2125 | all_kex = kex_alg_list(','); | 2186 | all_kex = kex_alg_list(','); |
2126 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2187 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2127 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 2188 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
2189 | /* remove unsupported algos from default lists */ | ||
2190 | def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); | ||
2191 | def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); | ||
2192 | def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); | ||
2193 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
2194 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
2128 | #define ASSEMBLE(what, defaults, all) \ | 2195 | #define ASSEMBLE(what, defaults, all) \ |
2129 | do { \ | 2196 | do { \ |
2130 | if ((r = kex_assemble_names(&options->what, \ | 2197 | if ((r = kex_assemble_names(&options->what, \ |
2131 | defaults, all)) != 0) \ | 2198 | defaults, all)) != 0) \ |
2132 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 2199 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
2133 | } while (0) | 2200 | } while (0) |
2134 | ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); | 2201 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
2135 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2202 | ASSEMBLE(macs, def_mac, all_mac); |
2136 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2203 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
2137 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2204 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
2138 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2205 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
2139 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2206 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
2140 | #undef ASSEMBLE | 2207 | #undef ASSEMBLE |
2141 | free(all_cipher); | 2208 | free(all_cipher); |
2142 | free(all_mac); | 2209 | free(all_mac); |
2143 | free(all_kex); | 2210 | free(all_kex); |
2144 | free(all_key); | 2211 | free(all_key); |
2145 | free(all_sig); | 2212 | free(all_sig); |
2213 | free(def_cipher); | ||
2214 | free(def_mac); | ||
2215 | free(def_kex); | ||
2216 | kex_default_pk_alg_filtered = def_key; /* save for later use */ | ||
2217 | free(def_sig); | ||
2146 | 2218 | ||
2147 | #define CLEAR_ON_NONE(v) \ | 2219 | #define CLEAR_ON_NONE(v) \ |
2148 | do { \ | 2220 | do { \ |
@@ -2157,6 +2229,7 @@ fill_default_options(Options * options) | |||
2157 | CLEAR_ON_NONE(options->control_path); | 2229 | CLEAR_ON_NONE(options->control_path); |
2158 | CLEAR_ON_NONE(options->revoked_host_keys); | 2230 | CLEAR_ON_NONE(options->revoked_host_keys); |
2159 | CLEAR_ON_NONE(options->pkcs11_provider); | 2231 | CLEAR_ON_NONE(options->pkcs11_provider); |
2232 | CLEAR_ON_NONE(options->sk_provider); | ||
2160 | if (options->jump_host != NULL && | 2233 | if (options->jump_host != NULL && |
2161 | strcmp(options->jump_host, "none") == 0 && | 2234 | strcmp(options->jump_host, "none") == 0 && |
2162 | options->jump_port == 0 && options->jump_user == NULL) { | 2235 | options->jump_port == 0 && options->jump_user == NULL) { |
@@ -2590,14 +2663,19 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds) | |||
2590 | void | 2663 | void |
2591 | dump_client_config(Options *o, const char *host) | 2664 | dump_client_config(Options *o, const char *host) |
2592 | { | 2665 | { |
2593 | int i; | 2666 | int i, r; |
2594 | char buf[8], *all_key; | 2667 | char buf[8], *all_key; |
2595 | 2668 | ||
2596 | /* This is normally prepared in ssh_kex2 */ | 2669 | /* |
2670 | * Expand HostKeyAlgorithms name lists. This isn't handled in | ||
2671 | * fill_default_options() like the other algorithm lists because | ||
2672 | * the host key algorithms are by default dynamically chosen based | ||
2673 | * on the host's keys found in known_hosts. | ||
2674 | */ | ||
2597 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2675 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2598 | if (kex_assemble_names( &o->hostkeyalgorithms, | 2676 | if ((r = kex_assemble_names(&o->hostkeyalgorithms, kex_default_pk_alg(), |
2599 | KEX_DEFAULT_PK_ALG, all_key) != 0) | 2677 | all_key)) != 0) |
2600 | fatal("%s: kex_assemble_names failed", __func__); | 2678 | fatal("%s: expand HostKeyAlgorithms: %s", __func__, ssh_err(r)); |
2601 | free(all_key); | 2679 | free(all_key); |
2602 | 2680 | ||
2603 | /* Most interesting options first: user, host, port */ | 2681 | /* Most interesting options first: user, host, port */ |
@@ -2619,7 +2697,6 @@ dump_client_config(Options *o, const char *host) | |||
2619 | dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); | 2697 | dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); |
2620 | dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); | 2698 | dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); |
2621 | dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); | 2699 | dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); |
2622 | dump_cfg_fmtint(oForwardAgent, o->forward_agent); | ||
2623 | dump_cfg_fmtint(oForwardX11, o->forward_x11); | 2700 | dump_cfg_fmtint(oForwardX11, o->forward_x11); |
2624 | dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); | 2701 | dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); |
2625 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 2702 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
@@ -2656,7 +2733,7 @@ dump_client_config(Options *o, const char *host) | |||
2656 | /* String options */ | 2733 | /* String options */ |
2657 | dump_cfg_string(oBindAddress, o->bind_address); | 2734 | dump_cfg_string(oBindAddress, o->bind_address); |
2658 | dump_cfg_string(oBindInterface, o->bind_interface); | 2735 | dump_cfg_string(oBindInterface, o->bind_interface); |
2659 | dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); | 2736 | dump_cfg_string(oCiphers, o->ciphers); |
2660 | dump_cfg_string(oControlPath, o->control_path); | 2737 | dump_cfg_string(oControlPath, o->control_path); |
2661 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); | 2738 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); |
2662 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); | 2739 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); |
@@ -2664,15 +2741,16 @@ dump_client_config(Options *o, const char *host) | |||
2664 | dump_cfg_string(oIdentityAgent, o->identity_agent); | 2741 | dump_cfg_string(oIdentityAgent, o->identity_agent); |
2665 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | 2742 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); |
2666 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | 2743 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); |
2667 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | 2744 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms); |
2668 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2745 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms); |
2669 | dump_cfg_string(oLocalCommand, o->local_command); | 2746 | dump_cfg_string(oLocalCommand, o->local_command); |
2670 | dump_cfg_string(oRemoteCommand, o->remote_command); | 2747 | dump_cfg_string(oRemoteCommand, o->remote_command); |
2671 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); | 2748 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
2672 | dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); | 2749 | dump_cfg_string(oMacs, o->macs); |
2673 | #ifdef ENABLE_PKCS11 | 2750 | #ifdef ENABLE_PKCS11 |
2674 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2751 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
2675 | #endif | 2752 | #endif |
2753 | dump_cfg_string(oSecurityKeyProvider, o->sk_provider); | ||
2676 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); | 2754 | dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); |
2677 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); | 2755 | dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
2678 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); | 2756 | dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); |
@@ -2694,6 +2772,12 @@ dump_client_config(Options *o, const char *host) | |||
2694 | 2772 | ||
2695 | /* Special cases */ | 2773 | /* Special cases */ |
2696 | 2774 | ||
2775 | /* oForwardAgent */ | ||
2776 | if (o->forward_agent_sock_path == NULL) | ||
2777 | dump_cfg_fmtint(oForwardAgent, o->forward_agent); | ||
2778 | else | ||
2779 | dump_cfg_string(oForwardAgent, o->forward_agent_sock_path); | ||
2780 | |||
2697 | /* oConnectTimeout */ | 2781 | /* oConnectTimeout */ |
2698 | if (o->connection_timeout == -1) | 2782 | if (o->connection_timeout == -1) |
2699 | printf("connecttimeout none\n"); | 2783 | printf("connecttimeout none\n"); |