upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
This commit is contained in:
parent
16db0a7ee9
commit
3a1638dda1
10
clientloop.c
10
clientloop.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -100,6 +100,7 @@
|
|||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "myproposal.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "readconf.h"
|
||||
|
@ -2362,10 +2363,11 @@ client_input_hostkeys(void)
|
|||
debug3("%s: received %s key %s", __func__,
|
||||
sshkey_type(key), fp);
|
||||
free(fp);
|
||||
|
||||
/* Check that the key is accepted in HostkeyAlgorithms */
|
||||
if (options.hostkeyalgorithms != NULL &&
|
||||
match_pattern_list(sshkey_ssh_name(key),
|
||||
options.hostkeyalgorithms, 0) != 1) {
|
||||
if (match_pattern_list(sshkey_ssh_name(key),
|
||||
options.hostkeyalgorithms ? options.hostkeyalgorithms :
|
||||
KEX_DEFAULT_PK_ALG, 0) != 1) {
|
||||
debug3("%s: %s key not permitted by HostkeyAlgorithms",
|
||||
__func__, sshkey_ssh_name(key));
|
||||
continue;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: myproposal.h,v 1.46 2015/07/03 03:47:00 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
@ -99,11 +99,9 @@
|
|||
HOSTKEY_ECDSA_CERT_METHODS \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ssh-rsa-cert-v01@openssh.com," \
|
||||
"ssh-dss-cert-v01@openssh.com," \
|
||||
HOSTKEY_ECDSA_METHODS \
|
||||
"ssh-ed25519," \
|
||||
"ssh-rsa," \
|
||||
"ssh-dss"
|
||||
"ssh-rsa" \
|
||||
|
||||
/* the actual algorithms */
|
||||
|
||||
|
|
35
readconf.c
35
readconf.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.238 2015/07/10 06:21:53 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -157,6 +157,7 @@ typedef enum {
|
|||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes,
|
||||
oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
|
@ -275,6 +276,7 @@ static struct {
|
|||
{ "fingerprinthash", oFingerprintHash },
|
||||
{ "updatehostkeys", oUpdateHostkeys },
|
||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
|
||||
{ NULL, oBadOption }
|
||||
|
@ -1115,14 +1117,17 @@ parse_int:
|
|||
break;
|
||||
|
||||
case oHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
parse_keytypes:
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
fatal("%.200s line %d: Missing argument.",
|
||||
filename, linenum);
|
||||
if (!sshkey_names_valid2(arg, 1))
|
||||
fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
|
||||
fatal("%s line %d: Bad key types '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (*activep && options->hostkeyalgorithms == NULL)
|
||||
options->hostkeyalgorithms = xstrdup(arg);
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
case oProtocol:
|
||||
|
@ -1485,16 +1490,11 @@ parse_int:
|
|||
|
||||
case oHostbasedKeyTypes:
|
||||
charptr = &options->hostbased_key_types;
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%.200s line %d: Missing argument.",
|
||||
filename, linenum);
|
||||
if (!sshkey_names_valid2(arg, 1))
|
||||
fatal("%s line %d: Bad key types '%s'.",
|
||||
filename, linenum, arg ? arg : "<NONE>");
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
goto parse_keytypes;
|
||||
|
||||
case oPubkeyAcceptedKeyTypes:
|
||||
charptr = &options->pubkey_key_types;
|
||||
goto parse_keytypes;
|
||||
|
||||
case oDeprecated:
|
||||
debug("%s line %d: Deprecated option \"%s\"",
|
||||
|
@ -1676,6 +1676,7 @@ initialize_options(Options * options)
|
|||
options->fingerprint_hash = -1;
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1858,7 +1859,9 @@ fill_default_options(Options * options)
|
|||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
if (options->hostbased_key_types == NULL)
|
||||
options->hostbased_key_types = xstrdup("*");
|
||||
options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
if (options->pubkey_key_types == NULL)
|
||||
options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.h,v 1.109 2015/02/16 22:13:32 djm Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -151,6 +151,7 @@ typedef struct {
|
|||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
char *hostbased_key_types;
|
||||
char *pubkey_key_types;
|
||||
|
||||
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
|
||||
} Options;
|
||||
|
|
5
scp.1
5
scp.1
|
@ -8,9 +8,9 @@
|
|||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
.\" $OpenBSD: scp.1,v 1.66 2015/01/30 11:43:14 djm Exp $
|
||||
.\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $
|
||||
.\"
|
||||
.Dd $Mdocdate: January 30 2015 $
|
||||
.Dd $Mdocdate: July 10 2015 $
|
||||
.Dt SCP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -170,6 +170,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It PreferredAuthentications
|
||||
.It Protocol
|
||||
.It ProxyCommand
|
||||
.It PubkeyAcceptedKeyTypes
|
||||
.It PubkeyAuthentication
|
||||
.It RekeyLimit
|
||||
.It RhostsRSAAuthentication
|
||||
|
|
17
servconf.c
17
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.275 2015/07/01 02:39:06 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.276 2015/07/10 06:21:53 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -108,6 +108,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->hostbased_authentication = -1;
|
||||
options->hostbased_uses_name_from_packet_only = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->rsa_authentication = -1;
|
||||
options->pubkey_authentication = -1;
|
||||
options->pubkey_key_types = NULL;
|
||||
|
@ -259,13 +260,15 @@ fill_default_server_options(ServerOptions *options)
|
|||
if (options->hostbased_uses_name_from_packet_only == -1)
|
||||
options->hostbased_uses_name_from_packet_only = 0;
|
||||
if (options->hostbased_key_types == NULL)
|
||||
options->hostbased_key_types = xstrdup("*");
|
||||
options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
if (options->hostkeyalgorithms == NULL)
|
||||
options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
if (options->rsa_authentication == -1)
|
||||
options->rsa_authentication = 1;
|
||||
if (options->pubkey_authentication == -1)
|
||||
options->pubkey_authentication = 1;
|
||||
if (options->pubkey_key_types == NULL)
|
||||
options->pubkey_key_types = xstrdup("*");
|
||||
options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
if (options->kerberos_authentication == -1)
|
||||
options->kerberos_authentication = 0;
|
||||
if (options->kerberos_or_local_passwd == -1)
|
||||
|
@ -400,6 +403,7 @@ typedef enum {
|
|||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
sAcceptEnv, sPermitTunnel,
|
||||
|
@ -450,6 +454,7 @@ static struct {
|
|||
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
|
||||
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
|
||||
{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
|
||||
{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
|
||||
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
|
||||
{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
|
||||
|
@ -1183,6 +1188,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
case sHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
goto parse_keytypes;
|
||||
|
||||
case sRSAAuthentication:
|
||||
intptr = &options->rsa_authentication;
|
||||
goto parse_flag;
|
||||
|
@ -2280,6 +2289,8 @@ dump_config(ServerOptions *o)
|
|||
o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
||||
o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||
o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -102,6 +102,7 @@ typedef struct {
|
|||
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||
char *hostbased_key_types; /* Key types allowed for hostbased */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||
int rsa_authentication; /* If true, permit RSA authentication. */
|
||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||
char *pubkey_key_types; /* Key types allowed for public key */
|
||||
|
|
5
ssh.1
5
ssh.1
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.358 2015/05/22 05:28:45 djm Exp $
|
||||
.Dd $Mdocdate: May 22 2015 $
|
||||
.\" $OpenBSD: ssh.1,v 1.359 2015/07/10 06:21:53 markus Exp $
|
||||
.Dd $Mdocdate: July 10 2015 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -470,6 +470,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It Protocol
|
||||
.It ProxyCommand
|
||||
.It ProxyUseFdpass
|
||||
.It PubkeyAcceptedKeyTypes
|
||||
.It PubkeyAuthentication
|
||||
.It RekeyLimit
|
||||
.It RemoteForward
|
||||
|
|
42
ssh_config.5
42
ssh_config.5
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.212 2015/07/03 03:47:00 djm Exp $
|
||||
.Dd $Mdocdate: July 3 2015 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $
|
||||
.Dd $Mdocdate: July 10 2015 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -781,9 +781,17 @@ is similar to
|
|||
.It Cm HostbasedKeyTypes
|
||||
Specifies the key types that will be used for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
The default
|
||||
.Dq *
|
||||
will allow all key types.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
|
@ -798,10 +806,9 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa,ssh-dss
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
If hostkeys are known for the destination host then this default is modified
|
||||
|
@ -1206,6 +1213,25 @@ will pass a connected file descriptor back to
|
|||
instead of continuing to execute and pass data.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
Specifies the key types that will be used for public key authentication
|
||||
as a comma-separated pattern list.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
may be used to list supported key types.
|
||||
.It Cm PubkeyAuthentication
|
||||
Specifies whether to try public key authentication.
|
||||
The argument to this keyword must be
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.225 2015/07/10 06:21:53 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
@ -190,6 +190,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
|||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
else {
|
||||
/* Enforce default */
|
||||
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
/* Prefer algorithms that we already have keys for */
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(
|
||||
|
@ -1315,6 +1317,26 @@ pubkey_cleanup(Authctxt *authctxt)
|
|||
}
|
||||
}
|
||||
|
||||
static int
|
||||
try_identity(Identity *id)
|
||||
{
|
||||
if (!id->key)
|
||||
return (0);
|
||||
if (match_pattern_list(sshkey_ssh_name(id->key),
|
||||
options.pubkey_key_types, 0) != 1) {
|
||||
debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
|
||||
sshkey_ssh_name(id->key), id->filename);
|
||||
return (0);
|
||||
}
|
||||
if (key_type_plain(id->key->type) == KEY_RSA &&
|
||||
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
|
||||
debug("Skipped %s key %s for RSA/MD5 server",
|
||||
key_type(id->key), id->filename);
|
||||
return (0);
|
||||
}
|
||||
return (id->key->type != KEY_RSA1);
|
||||
}
|
||||
|
||||
int
|
||||
userauth_pubkey(Authctxt *authctxt)
|
||||
{
|
||||
|
@ -1333,11 +1355,7 @@ userauth_pubkey(Authctxt *authctxt)
|
|||
* private key instead
|
||||
*/
|
||||
if (id->key != NULL) {
|
||||
if (key_type_plain(id->key->type) == KEY_RSA &&
|
||||
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
|
||||
debug("Skipped %s key %s for RSA/MD5 server",
|
||||
key_type(id->key), id->filename);
|
||||
} else if (id->key->type != KEY_RSA1) {
|
||||
if (try_identity(id)) {
|
||||
debug("Offering %s public key: %s",
|
||||
key_type(id->key), id->filename);
|
||||
sent = send_pubkey_test(authctxt, id);
|
||||
|
@ -1347,13 +1365,8 @@ userauth_pubkey(Authctxt *authctxt)
|
|||
id->key = load_identity_file(id->filename,
|
||||
id->userprovided);
|
||||
if (id->key != NULL) {
|
||||
if (try_identity(id)) {
|
||||
id->isprivate = 1;
|
||||
if (key_type_plain(id->key->type) == KEY_RSA &&
|
||||
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
|
||||
debug("Skipped %s key %s for RSA/MD5 "
|
||||
"server", key_type(id->key),
|
||||
id->filename);
|
||||
} else {
|
||||
sent = sign_and_send_pubkey(
|
||||
authctxt, id);
|
||||
}
|
||||
|
|
10
sshd.c
10
sshd.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.454 2015/07/10 06:21:53 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -95,6 +95,7 @@
|
|||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "match.h"
|
||||
#include "servconf.h"
|
||||
#include "uidswap.h"
|
||||
#include "compat.h"
|
||||
|
@ -799,6 +800,13 @@ list_hostkey_types(void)
|
|||
key = sensitive_data.host_pubkeys[i];
|
||||
if (key == NULL)
|
||||
continue;
|
||||
/* Check that the key is accepted in HostkeyAlgorithms */
|
||||
if (match_pattern_list(sshkey_ssh_name(key),
|
||||
options.hostkeyalgorithms, 0) != 1) {
|
||||
debug3("%s: %s key not permitted by HostkeyAlgorithms",
|
||||
__func__, sshkey_ssh_name(key));
|
||||
continue;
|
||||
}
|
||||
switch (key->type) {
|
||||
case KEY_RSA:
|
||||
case KEY_DSA:
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $
|
||||
.Dd $Mdocdate: July 3 2015 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $
|
||||
.Dd $Mdocdate: July 10 2015 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -640,9 +640,17 @@ The default is
|
|||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
The default
|
||||
.Dq *
|
||||
will allow all key types.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
|
@ -694,9 +702,15 @@ for protocol version 1, and
|
|||
and
|
||||
.Pa /etc/ssh/ssh_host_rsa_key
|
||||
for protocol version 2.
|
||||
.Pp
|
||||
Note that
|
||||
.Xr sshd 8
|
||||
will refuse to use a file if it is group/world-accessible.
|
||||
will refuse to use a file if it is group/world-accessible
|
||||
and that the
|
||||
.Cm HostKeyAlgorithms
|
||||
option restricts which of the keys are actually used by
|
||||
.Xr sshd 8 .
|
||||
.Pp
|
||||
It is possible to have multiple host key files.
|
||||
.Dq rsa1
|
||||
keys are used for version 1 and
|
||||
|
@ -718,6 +732,26 @@ If
|
|||
is specified, the location of the socket will be read from the
|
||||
.Ev SSH_AUTH_SOCK
|
||||
environment variable.
|
||||
.It Cm HostKeyAlgorithms
|
||||
Specifies the protocol version 2 host key algorithms
|
||||
that the server offers.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using the
|
||||
.Fl Q
|
||||
option of
|
||||
.Xr ssh 1
|
||||
with an argument of
|
||||
.Dq key .
|
||||
.It Cm IgnoreRhosts
|
||||
Specifies that
|
||||
.Pa .rhosts
|
||||
|
@ -1279,9 +1313,17 @@ is identical to
|
|||
.It Cm PubkeyAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for public key authentication
|
||||
as a comma-separated pattern list.
|
||||
The default
|
||||
.Dq *
|
||||
will allow all key types.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
option of
|
||||
|
|
Loading…
Reference in New Issue