1 files changed, 29 insertions, 10 deletions
diff --git a/servconf.c b/servconf.c
index df93fc450..6c7a91e6b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options)
        options->hostbased_authentication = -1;
        options->hostbased_uses_name_from_packet_only = -1;
        options->hostbased_key_types = NULL;
+        options->hostkeyalgorithms = NULL;
        options->rsa_authentication = -1;
        options->pubkey_authentication = -1;
        options->pubkey_key_types = NULL;
@@ -222,7 +224,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->key_regeneration_time == -1)
                options->key_regeneration_time = 3600;
        if (options->permit_root_login == PERMIT_NOT_SET)
-                options->permit_root_login = PERMIT_YES;
+                options->permit_root_login = PERMIT_NO_PASSWD;
        if (options->ignore_rhosts == -1)
                options->ignore_rhosts = 1;
        if (options->ignore_user_known_hosts == -1)
@@ -257,14 +259,12 @@ fill_default_server_options(ServerOptions *options)
                options->hostbased_authentication = 0;
        if (options->hostbased_uses_name_from_packet_only == -1)
                options->hostbased_uses_name_from_packet_only = 0;
-        if (options->hostbased_key_types == NULL)
+        if (options->hostkeyalgorithms == NULL)
-                options->hostbased_key_types = xstrdup("*");
+                options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
        if (options->rsa_authentication == -1)
                options->rsa_authentication = 1;
        if (options->pubkey_authentication == -1)
                options->pubkey_authentication = 1;
-        if (options->pubkey_key_types == NULL)
-                options->pubkey_key_types = xstrdup("*");
        if (options->kerberos_authentication == -1)
                options->kerberos_authentication = 0;
        if (options->kerberos_or_local_passwd == -1)
@@ -341,6 +341,16 @@ fill_default_server_options(ServerOptions *options)
                options->fwd_opts.streamlocal_bind_unlink = 0;
        if (options->fingerprint_hash == -1)
                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+        if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
+            kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
+            kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->hostbased_key_types) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->pubkey_key_types) != 0)
+                fatal("%s: kex_assemble_names failed", __func__);
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -399,6 +409,7 @@ typedef enum {
        sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+        sHostKeyAlgorithms,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
        sAcceptEnv, sPermitTunnel,
@@ -449,6 +460,7 @@ static struct {
        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
        { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
+        { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
        { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
        { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
@@ -904,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = {
 };
 static const struct multistate multistate_permitrootlogin[] = {
        { "without-password",           PERMIT_NO_PASSWD },
+        { "prohibit-password",          PERMIT_NO_PASSWD },
        { "forced-commands-only",       PERMIT_FORCED_ONLY },
        { "yes",                        PERMIT_YES },
        { "no",                         PERMIT_NO },
@@ -1175,13 +1188,17 @@ process_server_config_line(ServerOptions *options, char *line,
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.",
                            filename, linenum);
-                if (!sshkey_names_valid2(arg, 1))
+                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
                        fatal("%s line %d: Bad key types '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && *charptr == NULL)
                        *charptr = xstrdup(arg);
                break;
+        case sHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+                goto parse_keytypes;
        case sRSAAuthentication:
                intptr = &options->rsa_authentication;
                goto parse_flag;
@@ -1424,7 +1441,7 @@ process_server_config_line(ServerOptions *options, char *line,
                arg = strdelim(&cp);
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(arg))
+                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->ciphers == NULL)
@@ -1435,7 +1452,7 @@ process_server_config_line(ServerOptions *options, char *line,
                arg = strdelim(&cp);
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(arg))
+                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->macs == NULL)
@@ -1447,7 +1464,7 @@ process_server_config_line(ServerOptions *options, char *line,
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(arg))
+                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->kex_algorithms == NULL)
@@ -2279,6 +2296,8 @@ dump_config(ServerOptions *o)
            o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
        dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
            o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+        dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
+            o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
        dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
            o->pubkey_key_types : KEX_DEFAULT_PK_ALG);

diff --git a/servconf.c b/servconf.c index df93fc450..6c7a91e6b 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,5 @@
1	/* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */	1
		2	/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
2	/*	3	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	5	* All rights reserved
@@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options)
107	options->hostbased_authentication = -1;	108	options->hostbased_authentication = -1;
108	options->hostbased_uses_name_from_packet_only = -1;	109	options->hostbased_uses_name_from_packet_only = -1;
109	options->hostbased_key_types = NULL;	110	options->hostbased_key_types = NULL;
		111	options->hostkeyalgorithms = NULL;
110	options->rsa_authentication = -1;	112	options->rsa_authentication = -1;
111	options->pubkey_authentication = -1;	113	options->pubkey_authentication = -1;
112	options->pubkey_key_types = NULL;	114	options->pubkey_key_types = NULL;
@@ -222,7 +224,7 @@ fill_default_server_options(ServerOptions *options)
222	if (options->key_regeneration_time == -1)	224	if (options->key_regeneration_time == -1)
223	options->key_regeneration_time = 3600;	225	options->key_regeneration_time = 3600;
224	if (options->permit_root_login == PERMIT_NOT_SET)	226	if (options->permit_root_login == PERMIT_NOT_SET)
225	options->permit_root_login = PERMIT_YES;	227	options->permit_root_login = PERMIT_NO_PASSWD;
226	if (options->ignore_rhosts == -1)	228	if (options->ignore_rhosts == -1)
227	options->ignore_rhosts = 1;	229	options->ignore_rhosts = 1;
228	if (options->ignore_user_known_hosts == -1)	230	if (options->ignore_user_known_hosts == -1)
@@ -257,14 +259,12 @@ fill_default_server_options(ServerOptions *options)
257	options->hostbased_authentication = 0;	259	options->hostbased_authentication = 0;
258	if (options->hostbased_uses_name_from_packet_only == -1)	260	if (options->hostbased_uses_name_from_packet_only == -1)
259	options->hostbased_uses_name_from_packet_only = 0;	261	options->hostbased_uses_name_from_packet_only = 0;
260	if (options->hostbased_key_types == NULL)	262	if (options->hostkeyalgorithms == NULL)
261	options->hostbased_key_types = xstrdup("*");	263	options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
262	if (options->rsa_authentication == -1)	264	if (options->rsa_authentication == -1)
263	options->rsa_authentication = 1;	265	options->rsa_authentication = 1;
264	if (options->pubkey_authentication == -1)	266	if (options->pubkey_authentication == -1)
265	options->pubkey_authentication = 1;	267	options->pubkey_authentication = 1;
266	if (options->pubkey_key_types == NULL)
267	options->pubkey_key_types = xstrdup("*");
268	if (options->kerberos_authentication == -1)	268	if (options->kerberos_authentication == -1)
269	options->kerberos_authentication = 0;	269	options->kerberos_authentication = 0;
270	if (options->kerberos_or_local_passwd == -1)	270	if (options->kerberos_or_local_passwd == -1)
@@ -341,6 +341,16 @@ fill_default_server_options(ServerOptions *options)
341	options->fwd_opts.streamlocal_bind_unlink = 0;	341	options->fwd_opts.streamlocal_bind_unlink = 0;
342	if (options->fingerprint_hash == -1)	342	if (options->fingerprint_hash == -1)
343	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	343	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		344
		345	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 \|\|
		346	kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 \|\|
		347	kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 \|\|
		348	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		349	&options->hostbased_key_types) != 0 \|\|
		350	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		351	&options->pubkey_key_types) != 0)
		352	fatal("%s: kex_assemble_names failed", __func__);
		353
344	/* Turn privilege separation on by default */	354	/* Turn privilege separation on by default */
345	if (use_privsep == -1)	355	if (use_privsep == -1)
346	use_privsep = PRIVSEP_NOSANDBOX;	356	use_privsep = PRIVSEP_NOSANDBOX;
@@ -399,6 +409,7 @@ typedef enum {
399	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,	409	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
400	sBanner, sUseDNS, sHostbasedAuthentication,	410	sBanner, sUseDNS, sHostbasedAuthentication,
401	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	411	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
		412	sHostKeyAlgorithms,
402	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	413	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
403	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,	414	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
404	sAcceptEnv, sPermitTunnel,	415	sAcceptEnv, sPermitTunnel,
@@ -449,6 +460,7 @@ static struct {
449	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },	460	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
450	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },	461	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
451	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },	462	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
		463	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
452	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },	464	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
453	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },	465	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
454	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },	466	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
@@ -904,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = {
904	};	916	};
905	static const struct multistate multistate_permitrootlogin[] = {	917	static const struct multistate multistate_permitrootlogin[] = {
906	{ "without-password", PERMIT_NO_PASSWD },	918	{ "without-password", PERMIT_NO_PASSWD },
		919	{ "prohibit-password", PERMIT_NO_PASSWD },
907	{ "forced-commands-only", PERMIT_FORCED_ONLY },	920	{ "forced-commands-only", PERMIT_FORCED_ONLY },
908	{ "yes", PERMIT_YES },	921	{ "yes", PERMIT_YES },
909	{ "no", PERMIT_NO },	922	{ "no", PERMIT_NO },
@@ -1175,13 +1188,17 @@ process_server_config_line(ServerOptions options, char line,
1175	if (!arg \|\| *arg == '\0')	1188	if (!arg \|\| *arg == '\0')
1176	fatal("%s line %d: Missing argument.",	1189	fatal("%s line %d: Missing argument.",
1177	filename, linenum);	1190	filename, linenum);
1178	if (!sshkey_names_valid2(arg, 1))	1191	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1179	fatal("%s line %d: Bad key types '%s'.",	1192	fatal("%s line %d: Bad key types '%s'.",
1180	filename, linenum, arg ? arg : "<NONE>");	1193	filename, linenum, arg ? arg : "<NONE>");
1181	if (activep && charptr == NULL)	1194	if (activep && charptr == NULL)
1182	*charptr = xstrdup(arg);	1195	*charptr = xstrdup(arg);
1183	break;	1196	break;
1184		1197
		1198	case sHostKeyAlgorithms:
		1199	charptr = &options->hostkeyalgorithms;
		1200	goto parse_keytypes;
		1201
1185	case sRSAAuthentication:	1202	case sRSAAuthentication:
1186	intptr = &options->rsa_authentication;	1203	intptr = &options->rsa_authentication;
1187	goto parse_flag;	1204	goto parse_flag;
@@ -1424,7 +1441,7 @@ process_server_config_line(ServerOptions options, char line,
1424	arg = strdelim(&cp);	1441	arg = strdelim(&cp);
1425	if (!arg \|\| *arg == '\0')	1442	if (!arg \|\| *arg == '\0')
1426	fatal("%s line %d: Missing argument.", filename, linenum);	1443	fatal("%s line %d: Missing argument.", filename, linenum);
1427	if (!ciphers_valid(arg))	1444	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1428	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",	1445	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1429	filename, linenum, arg ? arg : "<NONE>");	1446	filename, linenum, arg ? arg : "<NONE>");
1430	if (options->ciphers == NULL)	1447	if (options->ciphers == NULL)
@@ -1435,7 +1452,7 @@ process_server_config_line(ServerOptions options, char line,
1435	arg = strdelim(&cp);	1452	arg = strdelim(&cp);
1436	if (!arg \|\| *arg == '\0')	1453	if (!arg \|\| *arg == '\0')
1437	fatal("%s line %d: Missing argument.", filename, linenum);	1454	fatal("%s line %d: Missing argument.", filename, linenum);
1438	if (!mac_valid(arg))	1455	if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1439	fatal("%s line %d: Bad SSH2 mac spec '%s'.",	1456	fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1440	filename, linenum, arg ? arg : "<NONE>");	1457	filename, linenum, arg ? arg : "<NONE>");
1441	if (options->macs == NULL)	1458	if (options->macs == NULL)
@@ -1447,7 +1464,7 @@ process_server_config_line(ServerOptions options, char line,
1447	if (!arg \|\| *arg == '\0')	1464	if (!arg \|\| *arg == '\0')
1448	fatal("%s line %d: Missing argument.",	1465	fatal("%s line %d: Missing argument.",
1449	filename, linenum);	1466	filename, linenum);
1450	if (!kex_names_valid(arg))	1467	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1451	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",	1468	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1452	filename, linenum, arg ? arg : "<NONE>");	1469	filename, linenum, arg ? arg : "<NONE>");
1453	if (options->kex_algorithms == NULL)	1470	if (options->kex_algorithms == NULL)
@@ -2279,6 +2296,8 @@ dump_config(ServerOptions *o)
2279	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);	2296	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2280	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?	2297	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2281	o->hostbased_key_types : KEX_DEFAULT_PK_ALG);	2298	o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
		2299	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
		2300	o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2282	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?	2301	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2283	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);	2302	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2284		2303