- markus@cvs.openbsd.org 2002/11/07 22:08:07

[readconf.c readconf.h ssh-keysign.8 ssh-keysign.c] we cannot use HostbasedAuthentication for enabling ssh-keysign(8), because HostbasedAuthentication might be enabled based on the target host and ssh-keysign(8) does not know the remote hostname and not trust ssh(1) about the hostname, so we add a new option EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de
2002-11-09 15:52:31 +00:00 · 2002-11-09 15:52:31 +00:00 · b6df73b06a
parent c2faa4a504
commit b6df73b06a
5 changed files with 26 additions and 8 deletions
--- a/9
+++ b/9
@ -25,6 +25,13 @@
   - markus@cvs.openbsd.org 2002/11/07 16:28:47
     [sshd.c]
     log to stderr if -ie is given, bug #414, prj@po.cwru.edu
+   - markus@cvs.openbsd.org 2002/11/07 22:08:07
+     [readconf.c readconf.h ssh-keysign.8 ssh-keysign.c]
+     we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
+     because HostbasedAuthentication might be enabled based on the
+     target host and ssh-keysign(8) does not know the remote hostname
+     and not trust ssh(1) about the hostname, so we add a new option
+     EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

 20021021
 - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from 
@ -802,4 +809,4 @@
     save auth method before monitor_reset_key_state(); bugzilla bug #284;
     ok provos@

-$Id: ChangeLog,v 1.2507 2002/11/09 15:50:03 mouring Exp $
+$Id: ChangeLog,v 1.2508 2002/11/09 15:52:31 mouring Exp $
--- a/readconf.c
+++ b/readconf.c
@ -12,7 +12,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.101 2002/11/07 22:08:07 markus Exp $");

 #include "ssh.h"
 #include "xmalloc.h"
@ -114,6 +114,7 @@ typedef enum {
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+	oEnableSSHKeysign,
 	oDeprecated
 } OpCodes;

@ -185,6 +186,7 @@ static struct {
 	{ "bindaddress", oBindAddress },
 	{ "smartcarddevice", oSmartcardDevice },
 	{ "clearallforwardings", oClearAllForwardings },
+	{ "enablesshkeysign", oEnableSSHKeysign },
 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
 	{ NULL, oBadOption }
 };
@ -669,6 +671,10 @@ parse_int:
 			*intptr = value;
 		break;

+	case oEnableSSHKeysign:
+		intptr = &options->enable_ssh_keysign;
+		goto parse_flag;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
@ -792,6 +798,7 @@ initialize_options(Options * options)
 	options->preferred_authentications = NULL;
 	options->bind_address = NULL;
 	options->smartcard_device = NULL;
+	options->enable_ssh_keysign = - 1;
 	options->no_host_authentication_for_localhost = - 1;
 }

@ -907,6 +914,8 @@ fill_default_options(Options * options)
 		clear_forwardings(options);
 	if (options->no_host_authentication_for_localhost == - 1)
 		options->no_host_authentication_for_localhost = 0;
+	if (options->enable_ssh_keysign == -1)
+		options->enable_ssh_keysign = 0;
 	/* options->proxy_command should not be set by default */
 	/* options->user will be set in the main program if appropriate */
 	/* options->hostname will be set in the main program if appropriate */
--- a/readconf.h
+++ b/readconf.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.44 2002/11/07 22:08:07 markus Exp $	*/

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -99,6 +99,8 @@ typedef struct {
 	int     num_remote_forwards;
 	Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
 	int	clear_forwardings;
+
+	int	enable_ssh_keysign;
 	int	no_host_authentication_for_localhost;
 }       Options;

--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.4 2002/11/07 22:08:07 markus Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@ -42,7 +42,7 @@ is disabled by default and can only be enabled in the
 the global client configuration file
 .Pa /etc/ssh/ssh_config
 by setting
-.Cm HostbasedAuthentication
+.Cm EnableSSHKeysign
 to
 .Dq yes .
 .Pp
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.8 2002/11/07 22:08:07 markus Exp $");

 #include <openssl/evp.h>
 #include <openssl/rand.h>
@ -168,8 +168,8 @@ main(int argc, char **argv)
 	initialize_options(&options);
 	(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
 	fill_default_options(&options);
-	if (options.hostbased_authentication != 1)
-		fatal("Hostbased authentication not enabled in %s",
+	if (options.enable_ssh_keysign != 1)
+		fatal("ssh-keysign not enabled in %s",
 		    _PATH_HOST_CONFIG_FILE);

 	if (key_fd[0] == -1 && key_fd[1] == -1)