upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
This commit is contained in:
parent
54b333d12e
commit
1875042c52
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-hostbased.c,v 1.49 2022/01/06 22:01:14 djm Exp $ */
|
||||
/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -119,6 +119,11 @@ userauth_hostbased(struct ssh *ssh, const char *method)
|
|||
"(null)" : key->cert->signature_type);
|
||||
goto done;
|
||||
}
|
||||
if ((r = sshkey_check_rsa_length(key,
|
||||
options.required_rsa_size)) != 0) {
|
||||
logit_r(r, "refusing %s key", sshkey_type(key));
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (!authctxt->valid || authctxt->user == NULL) {
|
||||
debug2_f("disabled because of invalid user");
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-pubkey.c,v 1.116 2022/06/15 16:08:25 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
|
@ -175,6 +175,11 @@ userauth_pubkey(struct ssh *ssh, const char *method)
|
|||
"(null)" : key->cert->signature_type);
|
||||
goto done;
|
||||
}
|
||||
if ((r = sshkey_check_rsa_length(key,
|
||||
options.required_rsa_size)) != 0) {
|
||||
logit_r(r, "refusing %s key", sshkey_type(key));
|
||||
goto done;
|
||||
}
|
||||
key_s = format_key(key);
|
||||
if (sshkey_is_cert(key))
|
||||
ca_s = format_key(key->cert->signature_key);
|
||||
|
|
13
servconf.c
13
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.385 2022/06/03 04:30:47 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.386 2022/09/17 10:34:29 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
options->expose_userauth_info = -1;
|
||||
options->required_rsa_size = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
|
@ -441,6 +442,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->expose_userauth_info = 0;
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
if (options->required_rsa_size == -1)
|
||||
options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
|
@ -517,6 +520,7 @@ typedef enum {
|
|||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
||||
sRequiredRSASize,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
|
@ -676,6 +680,7 @@ static struct {
|
|||
{ "rdomain", sRDomain, SSHCFG_ALL },
|
||||
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
||||
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
||||
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
|
@ -2438,6 +2443,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
case sRequiredRSASize:
|
||||
intptr = &options->required_rsa_size;
|
||||
goto parse_int;
|
||||
|
||||
case sDeprecated:
|
||||
case sIgnore:
|
||||
case sUnsupported:
|
||||
|
@ -2610,6 +2619,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
|||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
M_CP_INTOPT(log_level);
|
||||
M_CP_INTOPT(required_rsa_size);
|
||||
|
||||
/*
|
||||
* The bind_mask is a mode_t that may be unsigned, so we can't use
|
||||
|
@ -2874,6 +2884,7 @@ dump_config(ServerOptions *o)
|
|||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||
dump_cfg_int(sRequiredRSASize, o->required_rsa_size);
|
||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||
|
||||
/* formatted integer arguments */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.156 2022/03/18 04:04:11 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.157 2022/09/17 10:34:29 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -229,6 +229,7 @@ typedef struct {
|
|||
int expose_userauth_info;
|
||||
u_int64_t timing_secret;
|
||||
char *sk_provider;
|
||||
int required_rsa_size; /* minimum size of RSA keys */
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
|
|
9
sshd.c
9
sshd.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd.c,v 1.590 2022/07/01 05:08:23 dtucker Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.591 2022/09/17 10:34:29 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -1870,6 +1870,13 @@ main(int ac, char **av)
|
|||
fatal_r(r, "Could not demote key: \"%s\"",
|
||||
options.host_key_files[i]);
|
||||
}
|
||||
if (pubkey != NULL && (r = sshkey_check_rsa_length(pubkey,
|
||||
options.required_rsa_size)) != 0) {
|
||||
error_fr(r, "Host key %s", options.host_key_files[i]);
|
||||
sshkey_free(pubkey);
|
||||
sshkey_free(key);
|
||||
continue;
|
||||
}
|
||||
sensitive_data.host_keys[i] = key;
|
||||
sensitive_data.host_pubkeys[i] = pubkey;
|
||||
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.342 2022/06/24 04:27:14 djm Exp $
|
||||
.Dd $Mdocdate: June 24 2022 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.343 2022/09/17 10:34:29 djm Exp $
|
||||
.Dd $Mdocdate: September 17 2022 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1596,6 +1596,16 @@ is
|
|||
.Cm default none ,
|
||||
which means that rekeying is performed after the cipher's default amount
|
||||
of data has been sent or received and no time based rekeying is done.
|
||||
.It Cm RequiredRSASize
|
||||
Specifies the minimum RSA key size (in bits) that
|
||||
.Xr sshd 8
|
||||
will accept.
|
||||
User and host-based authentication keys smaller than this limit will be
|
||||
refused.
|
||||
The default is
|
||||
.Cm 1024
|
||||
bits.
|
||||
Note that this limit may only be raised from the default.
|
||||
.It Cm RevokedKeys
|
||||
Specifies revoked public keys file, or
|
||||
.Cm none
|
||||
|
|
Loading…
Reference in New Issue