1 files changed, 29 insertions, 10 deletions
diff --git a/servconf.c b/servconf.c
index fe3e31157..a778f44e9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options)
        options->hostbased_authentication = -1;
        options->hostbased_uses_name_from_packet_only = -1;
        options->hostbased_key_types = NULL;
+        options->hostkeyalgorithms = NULL;
        options->rsa_authentication = -1;
        options->pubkey_authentication = -1;
        options->pubkey_key_types = NULL;
@@ -225,7 +227,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->key_regeneration_time == -1)
                options->key_regeneration_time = 3600;
        if (options->permit_root_login == PERMIT_NOT_SET)
-                options->permit_root_login = PERMIT_YES;
+                options->permit_root_login = PERMIT_NO_PASSWD;
        if (options->ignore_rhosts == -1)
                options->ignore_rhosts = 1;
        if (options->ignore_user_known_hosts == -1)
@@ -260,14 +262,12 @@ fill_default_server_options(ServerOptions *options)
                options->hostbased_authentication = 0;
        if (options->hostbased_uses_name_from_packet_only == -1)
                options->hostbased_uses_name_from_packet_only = 0;
-        if (options->hostbased_key_types == NULL)
+        if (options->hostkeyalgorithms == NULL)
-                options->hostbased_key_types = xstrdup("*");
+                options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
        if (options->rsa_authentication == -1)
                options->rsa_authentication = 1;
        if (options->pubkey_authentication == -1)
                options->pubkey_authentication = 1;
-        if (options->pubkey_key_types == NULL)
-                options->pubkey_key_types = xstrdup("*");
        if (options->kerberos_authentication == -1)
                options->kerberos_authentication = 0;
        if (options->kerberos_or_local_passwd == -1)
@@ -350,6 +350,16 @@ fill_default_server_options(ServerOptions *options)
                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
        if (options->debian_banner == -1)
                options->debian_banner = 1;
+        if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
+            kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
+            kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->hostbased_key_types) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->pubkey_key_types) != 0)
+                fatal("%s: kex_assemble_names failed", __func__);
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -408,6 +418,7 @@ typedef enum {
        sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+        sHostKeyAlgorithms,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
        sGssKeyEx, sGssStoreRekey,
@@ -460,6 +471,7 @@ static struct {
        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
        { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
+        { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
        { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
        { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
@@ -925,6 +937,7 @@ static const struct multistate multistate_addressfamily[] = {
 };
 static const struct multistate multistate_permitrootlogin[] = {
        { "without-password",           PERMIT_NO_PASSWD },
+        { "prohibit-password",          PERMIT_NO_PASSWD },
        { "forced-commands-only",       PERMIT_FORCED_ONLY },
        { "yes",                        PERMIT_YES },
        { "no",                         PERMIT_NO },
@@ -1196,13 +1209,17 @@ process_server_config_line(ServerOptions *options, char *line,
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.",
                            filename, linenum);
-                if (!sshkey_names_valid2(arg, 1))
+                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
                        fatal("%s line %d: Bad key types '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && *charptr == NULL)
                        *charptr = xstrdup(arg);
                break;
+        case sHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+                goto parse_keytypes;
        case sRSAAuthentication:
                intptr = &options->rsa_authentication;
                goto parse_flag;
@@ -1453,7 +1470,7 @@ process_server_config_line(ServerOptions *options, char *line,
                arg = strdelim(&cp);
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(arg))
+                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->ciphers == NULL)
@@ -1464,7 +1481,7 @@ process_server_config_line(ServerOptions *options, char *line,
                arg = strdelim(&cp);
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(arg))
+                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->macs == NULL)
@@ -1476,7 +1493,7 @@ process_server_config_line(ServerOptions *options, char *line,
                if (!arg || *arg == '\0')
                        fatal("%s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(arg))
+                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (options->kex_algorithms == NULL)
@@ -2315,6 +2332,8 @@ dump_config(ServerOptions *o)
            o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
        dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
            o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+        dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
+            o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
        dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
            o->pubkey_key_types : KEX_DEFAULT_PK_ALG);

diff --git a/servconf.c b/servconf.c index fe3e31157..a778f44e9 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,5 @@
1	/* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */	1
		2	/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */
2	/*	3	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	5	* All rights reserved
@@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options)
107	options->hostbased_authentication = -1;	108	options->hostbased_authentication = -1;
108	options->hostbased_uses_name_from_packet_only = -1;	109	options->hostbased_uses_name_from_packet_only = -1;
109	options->hostbased_key_types = NULL;	110	options->hostbased_key_types = NULL;
		111	options->hostkeyalgorithms = NULL;
110	options->rsa_authentication = -1;	112	options->rsa_authentication = -1;
111	options->pubkey_authentication = -1;	113	options->pubkey_authentication = -1;
112	options->pubkey_key_types = NULL;	114	options->pubkey_key_types = NULL;
@@ -225,7 +227,7 @@ fill_default_server_options(ServerOptions *options)
225	if (options->key_regeneration_time == -1)	227	if (options->key_regeneration_time == -1)
226	options->key_regeneration_time = 3600;	228	options->key_regeneration_time = 3600;
227	if (options->permit_root_login == PERMIT_NOT_SET)	229	if (options->permit_root_login == PERMIT_NOT_SET)
228	options->permit_root_login = PERMIT_YES;	230	options->permit_root_login = PERMIT_NO_PASSWD;
229	if (options->ignore_rhosts == -1)	231	if (options->ignore_rhosts == -1)
230	options->ignore_rhosts = 1;	232	options->ignore_rhosts = 1;
231	if (options->ignore_user_known_hosts == -1)	233	if (options->ignore_user_known_hosts == -1)
@@ -260,14 +262,12 @@ fill_default_server_options(ServerOptions *options)
260	options->hostbased_authentication = 0;	262	options->hostbased_authentication = 0;
261	if (options->hostbased_uses_name_from_packet_only == -1)	263	if (options->hostbased_uses_name_from_packet_only == -1)
262	options->hostbased_uses_name_from_packet_only = 0;	264	options->hostbased_uses_name_from_packet_only = 0;
263	if (options->hostbased_key_types == NULL)	265	if (options->hostkeyalgorithms == NULL)
264	options->hostbased_key_types = xstrdup("*");	266	options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
265	if (options->rsa_authentication == -1)	267	if (options->rsa_authentication == -1)
266	options->rsa_authentication = 1;	268	options->rsa_authentication = 1;
267	if (options->pubkey_authentication == -1)	269	if (options->pubkey_authentication == -1)
268	options->pubkey_authentication = 1;	270	options->pubkey_authentication = 1;
269	if (options->pubkey_key_types == NULL)
270	options->pubkey_key_types = xstrdup("*");
271	if (options->kerberos_authentication == -1)	271	if (options->kerberos_authentication == -1)
272	options->kerberos_authentication = 0;	272	options->kerberos_authentication = 0;
273	if (options->kerberos_or_local_passwd == -1)	273	if (options->kerberos_or_local_passwd == -1)
@@ -350,6 +350,16 @@ fill_default_server_options(ServerOptions *options)
350	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	350	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
351	if (options->debian_banner == -1)	351	if (options->debian_banner == -1)
352	options->debian_banner = 1;	352	options->debian_banner = 1;
		353
		354	if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 \|\|
		355	kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 \|\|
		356	kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 \|\|
		357	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		358	&options->hostbased_key_types) != 0 \|\|
		359	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		360	&options->pubkey_key_types) != 0)
		361	fatal("%s: kex_assemble_names failed", __func__);
		362
353	/* Turn privilege separation on by default */	363	/* Turn privilege separation on by default */
354	if (use_privsep == -1)	364	if (use_privsep == -1)
355	use_privsep = PRIVSEP_NOSANDBOX;	365	use_privsep = PRIVSEP_NOSANDBOX;
@@ -408,6 +418,7 @@ typedef enum {
408	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,	418	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
409	sBanner, sUseDNS, sHostbasedAuthentication,	419	sBanner, sUseDNS, sHostbasedAuthentication,
410	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	420	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
		421	sHostKeyAlgorithms,
411	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	422	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
412	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,	423	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
413	sGssKeyEx, sGssStoreRekey,	424	sGssKeyEx, sGssStoreRekey,
@@ -460,6 +471,7 @@ static struct {
460	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },	471	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
461	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },	472	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
462	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },	473	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
		474	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
463	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },	475	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
464	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },	476	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
465	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },	477	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
@@ -925,6 +937,7 @@ static const struct multistate multistate_addressfamily[] = {
925	};	937	};
926	static const struct multistate multistate_permitrootlogin[] = {	938	static const struct multistate multistate_permitrootlogin[] = {
927	{ "without-password", PERMIT_NO_PASSWD },	939	{ "without-password", PERMIT_NO_PASSWD },
		940	{ "prohibit-password", PERMIT_NO_PASSWD },
928	{ "forced-commands-only", PERMIT_FORCED_ONLY },	941	{ "forced-commands-only", PERMIT_FORCED_ONLY },
929	{ "yes", PERMIT_YES },	942	{ "yes", PERMIT_YES },
930	{ "no", PERMIT_NO },	943	{ "no", PERMIT_NO },
@@ -1196,13 +1209,17 @@ process_server_config_line(ServerOptions options, char line,
1196	if (!arg \|\| *arg == '\0')	1209	if (!arg \|\| *arg == '\0')
1197	fatal("%s line %d: Missing argument.",	1210	fatal("%s line %d: Missing argument.",
1198	filename, linenum);	1211	filename, linenum);
1199	if (!sshkey_names_valid2(arg, 1))	1212	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1200	fatal("%s line %d: Bad key types '%s'.",	1213	fatal("%s line %d: Bad key types '%s'.",
1201	filename, linenum, arg ? arg : "<NONE>");	1214	filename, linenum, arg ? arg : "<NONE>");
1202	if (activep && charptr == NULL)	1215	if (activep && charptr == NULL)
1203	*charptr = xstrdup(arg);	1216	*charptr = xstrdup(arg);
1204	break;	1217	break;
1205		1218
		1219	case sHostKeyAlgorithms:
		1220	charptr = &options->hostkeyalgorithms;
		1221	goto parse_keytypes;
		1222
1206	case sRSAAuthentication:	1223	case sRSAAuthentication:
1207	intptr = &options->rsa_authentication;	1224	intptr = &options->rsa_authentication;
1208	goto parse_flag;	1225	goto parse_flag;
@@ -1453,7 +1470,7 @@ process_server_config_line(ServerOptions options, char line,
1453	arg = strdelim(&cp);	1470	arg = strdelim(&cp);
1454	if (!arg \|\| *arg == '\0')	1471	if (!arg \|\| *arg == '\0')
1455	fatal("%s line %d: Missing argument.", filename, linenum);	1472	fatal("%s line %d: Missing argument.", filename, linenum);
1456	if (!ciphers_valid(arg))	1473	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1457	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",	1474	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1458	filename, linenum, arg ? arg : "<NONE>");	1475	filename, linenum, arg ? arg : "<NONE>");
1459	if (options->ciphers == NULL)	1476	if (options->ciphers == NULL)
@@ -1464,7 +1481,7 @@ process_server_config_line(ServerOptions options, char line,
1464	arg = strdelim(&cp);	1481	arg = strdelim(&cp);
1465	if (!arg \|\| *arg == '\0')	1482	if (!arg \|\| *arg == '\0')
1466	fatal("%s line %d: Missing argument.", filename, linenum);	1483	fatal("%s line %d: Missing argument.", filename, linenum);
1467	if (!mac_valid(arg))	1484	if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1468	fatal("%s line %d: Bad SSH2 mac spec '%s'.",	1485	fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1469	filename, linenum, arg ? arg : "<NONE>");	1486	filename, linenum, arg ? arg : "<NONE>");
1470	if (options->macs == NULL)	1487	if (options->macs == NULL)
@@ -1476,7 +1493,7 @@ process_server_config_line(ServerOptions options, char line,
1476	if (!arg \|\| *arg == '\0')	1493	if (!arg \|\| *arg == '\0')
1477	fatal("%s line %d: Missing argument.",	1494	fatal("%s line %d: Missing argument.",
1478	filename, linenum);	1495	filename, linenum);
1479	if (!kex_names_valid(arg))	1496	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1480	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",	1497	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1481	filename, linenum, arg ? arg : "<NONE>");	1498	filename, linenum, arg ? arg : "<NONE>");
1482	if (options->kex_algorithms == NULL)	1499	if (options->kex_algorithms == NULL)
@@ -2315,6 +2332,8 @@ dump_config(ServerOptions *o)
2315	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);	2332	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2316	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?	2333	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2317	o->hostbased_key_types : KEX_DEFAULT_PK_ALG);	2334	o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
		2335	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
		2336	o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2318	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?	2337	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2319	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);	2338	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2320		2339