upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
This commit is contained in:
parent
a8e798feab
commit
ee9c0da803
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-pubkey.c,v 1.103 2020/12/22 00:12:22 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.104 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -150,8 +150,8 @@ userauth_pubkey(struct ssh *ssh)
|
|||
logit("refusing previously-used %s key", sshkey_type(key));
|
||||
goto done;
|
||||
}
|
||||
if (match_pattern_list(pkalg, options.pubkey_key_types, 0) != 1) {
|
||||
logit_f("key type %s not in PubkeyAcceptedKeyTypes",
|
||||
if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
|
||||
logit_f("key type %s not in PubkeyAcceptedAlgorithms",
|
||||
sshkey_ssh_name(key));
|
||||
goto done;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor.c,v 1.219 2020/12/29 00:59:15 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.220 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -1186,7 +1186,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
|
|||
if (auth2_key_already_used(authctxt, key))
|
||||
break;
|
||||
if (!key_base_type_match(auth_method, key,
|
||||
options.pubkey_key_types))
|
||||
options.pubkey_accepted_algos))
|
||||
break;
|
||||
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
||||
pubkey_auth_attempt, &opts);
|
||||
|
|
27
readconf.c
27
readconf.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.348 2021/01/08 04:49:13 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.349 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -171,7 +171,7 @@ typedef enum {
|
|||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
|
||||
oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
|
||||
oSecurityKeyProvider, oKnownHostsCommand,
|
||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
@ -307,7 +307,8 @@ static struct {
|
|||
{ "fingerprinthash", oFingerprintHash },
|
||||
{ "updatehostkeys", oUpdateHostkeys },
|
||||
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
||||
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
|
||||
{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
{ "proxyjump", oProxyJump },
|
||||
{ "securitykeyprovider", oSecurityKeyProvider },
|
||||
|
@ -1373,7 +1374,7 @@ parse_int:
|
|||
|
||||
case oHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
parse_keytypes:
|
||||
parse_pubkey_algos:
|
||||
arg = strdelim(&s);
|
||||
if (!arg || *arg == '\0') {
|
||||
error("%.200s line %d: Missing argument.",
|
||||
|
@ -1393,7 +1394,7 @@ parse_keytypes:
|
|||
|
||||
case oCASignatureAlgorithms:
|
||||
charptr = &options->ca_sign_algorithms;
|
||||
goto parse_keytypes;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case oLogLevel:
|
||||
log_level_ptr = &options->log_level;
|
||||
|
@ -1934,11 +1935,11 @@ parse_keytypes:
|
|||
|
||||
case oHostbasedKeyTypes:
|
||||
charptr = &options->hostbased_key_types;
|
||||
goto parse_keytypes;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case oPubkeyAcceptedKeyTypes:
|
||||
charptr = &options->pubkey_key_types;
|
||||
goto parse_keytypes;
|
||||
case oPubkeyAcceptedAlgorithms:
|
||||
charptr = &options->pubkey_accepted_algos;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case oAddKeysToAgent:
|
||||
arg = strdelim(&s);
|
||||
|
@ -2221,7 +2222,7 @@ initialize_options(Options * options)
|
|||
options->fingerprint_hash = -1;
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
options->pubkey_accepted_algos = NULL;
|
||||
options->known_hosts_command = NULL;
|
||||
}
|
||||
|
||||
|
@ -2440,7 +2441,7 @@ fill_default_options(Options * options)
|
|||
ASSEMBLE(macs, def_mac, all_mac);
|
||||
ASSEMBLE(kex_algorithms, def_kex, all_kex);
|
||||
ASSEMBLE(hostbased_key_types, def_key, all_key);
|
||||
ASSEMBLE(pubkey_key_types, def_key, all_key);
|
||||
ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
|
||||
|
@ -2560,7 +2561,7 @@ free_options(Options *o)
|
|||
}
|
||||
free(o->revoked_host_keys);
|
||||
free(o->hostbased_key_types);
|
||||
free(o->pubkey_key_types);
|
||||
free(o->pubkey_accepted_algos);
|
||||
free(o->jump_user);
|
||||
free(o->jump_host);
|
||||
free(o->jump_extra);
|
||||
|
@ -3101,7 +3102,7 @@ dump_client_config(Options *o, const char *host)
|
|||
#endif
|
||||
dump_cfg_string(oSecurityKeyProvider, o->sk_provider);
|
||||
dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
|
||||
dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
|
||||
dump_cfg_string(oPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
|
||||
dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
|
||||
dump_cfg_string(oXAuthLocation, o->xauth_location);
|
||||
dump_cfg_string(oKnownHostsCommand, o->known_hosts_command);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.h,v 1.137 2020/12/22 00:15:23 djm Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.138 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -162,7 +162,7 @@ typedef struct {
|
|||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
char *hostbased_key_types;
|
||||
char *pubkey_key_types;
|
||||
char *pubkey_accepted_algos;
|
||||
|
||||
char *jump_user;
|
||||
char *jump_host;
|
||||
|
|
6
scp.1
6
scp.1
|
@ -8,9 +8,9 @@
|
|||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
.\" $OpenBSD: scp.1,v 1.92 2020/12/22 07:40:26 jmc Exp $
|
||||
.\" $OpenBSD: scp.1,v 1.93 2021/01/22 02:44:58 dtucker Exp $
|
||||
.\"
|
||||
.Dd $Mdocdate: December 22 2020 $
|
||||
.Dd $Mdocdate: January 22 2021 $
|
||||
.Dt SCP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -195,7 +195,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It PreferredAuthentications
|
||||
.It ProxyCommand
|
||||
.It ProxyJump
|
||||
.It PubkeyAcceptedKeyTypes
|
||||
.It PubkeyAcceptedAlgorithms
|
||||
.It PubkeyAuthentication
|
||||
.It RekeyLimit
|
||||
.It SendEnv
|
||||
|
|
25
servconf.c
25
servconf.c
|
@ -1,5 +1,5 @@
|
|||
|
||||
/* $OpenBSD: servconf.c,v 1.373 2021/01/11 04:48:22 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.374 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -130,7 +130,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->hostkeyalgorithms = NULL;
|
||||
options->pubkey_authentication = -1;
|
||||
options->pubkey_auth_options = -1;
|
||||
options->pubkey_key_types = NULL;
|
||||
options->pubkey_accepted_algos = NULL;
|
||||
options->kerberos_authentication = -1;
|
||||
options->kerberos_or_local_passwd = -1;
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
|
@ -233,7 +233,7 @@ assemble_algorithms(ServerOptions *o)
|
|||
ASSEMBLE(kex_algorithms, def_kex, all_kex);
|
||||
ASSEMBLE(hostkeyalgorithms, def_key, all_key);
|
||||
ASSEMBLE(hostbased_key_types, def_key, all_key);
|
||||
ASSEMBLE(pubkey_key_types, def_key, all_key);
|
||||
ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
|
||||
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
|
@ -527,7 +527,7 @@ typedef enum {
|
|||
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
|
@ -589,7 +589,8 @@ static struct {
|
|||
{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
|
||||
{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
|
||||
{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
|
||||
{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
|
||||
{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
|
||||
{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
|
||||
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
|
||||
#ifdef KRB5
|
||||
|
@ -1501,7 +1502,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
|
||||
case sHostbasedAcceptedKeyTypes:
|
||||
charptr = &options->hostbased_key_types;
|
||||
parse_keytypes:
|
||||
parse_pubkey_algos:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: Missing argument.",
|
||||
|
@ -1517,19 +1518,19 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
|
||||
case sHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
goto parse_keytypes;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case sCASignatureAlgorithms:
|
||||
charptr = &options->ca_sign_algorithms;
|
||||
goto parse_keytypes;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case sPubkeyAuthentication:
|
||||
intptr = &options->pubkey_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
case sPubkeyAcceptedKeyTypes:
|
||||
charptr = &options->pubkey_key_types;
|
||||
goto parse_keytypes;
|
||||
case sPubkeyAcceptedAlgorithms:
|
||||
charptr = &options->pubkey_accepted_algos;
|
||||
goto parse_pubkey_algos;
|
||||
|
||||
case sPubkeyAuthOptions:
|
||||
intptr = &options->pubkey_auth_options;
|
||||
|
@ -2921,7 +2922,7 @@ dump_config(ServerOptions *o)
|
|||
dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
|
||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
|
||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
|
||||
dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
|
||||
#if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
|
||||
dump_cfg_string(sRDomain, o->routing_domain);
|
||||
#endif
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.149 2021/01/09 12:10:02 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.150 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -126,7 +126,7 @@ typedef struct {
|
|||
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||
char *pubkey_key_types; /* Key types allowed for public key */
|
||||
char *pubkey_accepted_algos; /* Signature algos allowed for pubkey */
|
||||
int pubkey_auth_options; /* -1 or mask of PUBKEYAUTH_* flags */
|
||||
int kerberos_authentication; /* If true, permit Kerberos
|
||||
* authentication. */
|
||||
|
@ -272,7 +272,7 @@ TAILQ_HEAD(include_list, include_item);
|
|||
M_CP_STROPT(authorized_principals_command); \
|
||||
M_CP_STROPT(authorized_principals_command_user); \
|
||||
M_CP_STROPT(hostbased_key_types); \
|
||||
M_CP_STROPT(pubkey_key_types); \
|
||||
M_CP_STROPT(pubkey_accepted_algos); \
|
||||
M_CP_STROPT(ca_sign_algorithms); \
|
||||
M_CP_STROPT(routing_domain); \
|
||||
M_CP_STROPT(permit_user_env_allowlist); \
|
||||
|
|
6
sftp.1
6
sftp.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: sftp.1,v 1.133 2020/12/22 07:40:26 jmc Exp $
|
||||
.\" $OpenBSD: sftp.1,v 1.134 2021/01/22 02:44:58 dtucker Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
|
@ -22,7 +22,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: December 22 2020 $
|
||||
.Dd $Mdocdate: January 22 2021 $
|
||||
.Dt SFTP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -269,7 +269,7 @@ For full details of the options listed below, and their possible values, see
|
|||
.It PreferredAuthentications
|
||||
.It ProxyCommand
|
||||
.It ProxyJump
|
||||
.It PubkeyAcceptedKeyTypes
|
||||
.It PubkeyAcceptedAlgorithms
|
||||
.It PubkeyAuthentication
|
||||
.It RekeyLimit
|
||||
.It SendEnv
|
||||
|
|
5
ssh.c
5
ssh.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh.c,v 1.546 2020/12/20 23:40:19 djm Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.547 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -799,7 +799,8 @@ main(int ac, char **av)
|
|||
else if (strcmp(optarg, "key-plain") == 0)
|
||||
cp = sshkey_alg_list(0, 1, 0, '\n');
|
||||
else if (strcmp(optarg, "key-sig") == 0 ||
|
||||
strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
|
||||
strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
|
||||
strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
|
||||
strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
|
||||
strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
|
||||
strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
|
||||
|
|
18
ssh_config.5
18
ssh_config.5
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.342 2021/01/14 19:45:06 rob Exp $
|
||||
.Dd $Mdocdate: January 14 2021 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.343 2021/01/22 02:44:58 dtucker Exp $
|
||||
.Dd $Mdocdate: January 22 2021 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1388,20 +1388,20 @@ will pass a connected file descriptor back to
|
|||
instead of continuing to execute and pass data.
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
Specifies the key types that will be used for public key authentication
|
||||
as a comma-separated list of patterns.
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
Specifies the signature algorithms that will be used for public key
|
||||
authentication as a comma-separated list of patterns.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the key types after it will be appended to the default
|
||||
character, then the algorithms after it will be appended to the default
|
||||
instead of replacing it.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
from the default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
|
@ -1422,7 +1422,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
.It Cm PubkeyAuthentication
|
||||
Specifies whether to try public key authentication.
|
||||
The argument to this keyword must be
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.341 2021/01/08 02:57:24 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.342 2021/01/22 02:44:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
@ -1191,16 +1191,16 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
|
|||
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
|
||||
/* Filter base key signature alg against our configuration */
|
||||
return match_list(sshkey_ssh_name(key),
|
||||
options.pubkey_key_types, NULL);
|
||||
options.pubkey_accepted_algos, NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* For RSA keys/certs, since these might have a different sig type:
|
||||
* find the first entry in PubkeyAcceptedKeyTypes of the right type
|
||||
* find the first entry in PubkeyAcceptedAlgorithms of the right type
|
||||
* that also appears in the supported signature algorithms list from
|
||||
* the server.
|
||||
*/
|
||||
oallowed = allowed = xstrdup(options.pubkey_key_types);
|
||||
oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
|
||||
while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||
if (sshkey_type_from_name(cp) != key->type)
|
||||
continue;
|
||||
|
@ -1597,25 +1597,25 @@ static int
|
|||
key_type_allowed_by_config(struct sshkey *key)
|
||||
{
|
||||
if (match_pattern_list(sshkey_ssh_name(key),
|
||||
options.pubkey_key_types, 0) == 1)
|
||||
options.pubkey_accepted_algos, 0) == 1)
|
||||
return 1;
|
||||
|
||||
/* RSA keys/certs might be allowed by alternate signature types */
|
||||
switch (key->type) {
|
||||
case KEY_RSA:
|
||||
if (match_pattern_list("rsa-sha2-512",
|
||||
options.pubkey_key_types, 0) == 1)
|
||||
options.pubkey_accepted_algos, 0) == 1)
|
||||
return 1;
|
||||
if (match_pattern_list("rsa-sha2-256",
|
||||
options.pubkey_key_types, 0) == 1)
|
||||
options.pubkey_accepted_algos, 0) == 1)
|
||||
return 1;
|
||||
break;
|
||||
case KEY_RSA_CERT:
|
||||
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
|
||||
options.pubkey_key_types, 0) == 1)
|
||||
options.pubkey_accepted_algos, 0) == 1)
|
||||
return 1;
|
||||
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
|
||||
options.pubkey_key_types, 0) == 1)
|
||||
options.pubkey_accepted_algos, 0) == 1)
|
||||
return 1;
|
||||
break;
|
||||
}
|
||||
|
@ -1757,11 +1757,11 @@ pubkey_prepare(Authctxt *authctxt)
|
|||
}
|
||||
/* append remaining keys from the config file */
|
||||
TAILQ_CONCAT(preferred, &files, next);
|
||||
/* finally, filter by PubkeyAcceptedKeyTypes */
|
||||
/* finally, filter by PubkeyAcceptedAlgorithms */
|
||||
TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
|
||||
if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
|
||||
debug("Skipping %s key %s - "
|
||||
"not in PubkeyAcceptedKeyTypes",
|
||||
"corresponding algo not in PubkeyAcceptedAlgorithms",
|
||||
sshkey_ssh_name(id->key), id->filename);
|
||||
TAILQ_REMOVE(preferred, id, next);
|
||||
sshkey_free(id->key);
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.323 2021/01/14 19:45:06 rob Exp $
|
||||
.Dd $Mdocdate: January 14 2021 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.324 2021/01/22 02:44:58 dtucker Exp $
|
||||
.Dd $Mdocdate: January 22 2021 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1209,7 +1209,7 @@ Available keywords are
|
|||
.Cm PermitTTY ,
|
||||
.Cm PermitTunnel ,
|
||||
.Cm PermitUserRC ,
|
||||
.Cm PubkeyAcceptedKeyTypes ,
|
||||
.Cm PubkeyAcceptedAlgorithms ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RekeyLimit ,
|
||||
.Cm RevokedKeys ,
|
||||
|
@ -1477,20 +1477,20 @@ when a user logs in interactively.
|
|||
or equivalent.)
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for public key authentication
|
||||
as a list of comma-separated patterns.
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
Specifies the signature algorithms that will be accepted for public key
|
||||
authentication as a list of comma-separated patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified key types will be appended to the default set
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
from the default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
|
@ -1511,7 +1511,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|||
.Ed
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
.It Cm PubkeyAuthOptions
|
||||
Sets one or more public key authentication options.
|
||||
The supported keywords are:
|
||||
|
|
Loading…
Reference in New Issue