Commit 46347ed5 authored by djm@openbsd.org's avatar djm@openbsd.org Committed by Damien Miller

upstream commit

Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
parent 802660cb
/* $OpenBSD: readconf.c,v 1.229 2015/01/26 03:04:45 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.230 2015/01/30 11:43:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -156,7 +156,7 @@ typedef enum {
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
......@@ -274,6 +274,7 @@ static struct {
{ "revokedhostkeys", oRevokedHostKeys },
{ "fingerprinthash", oFingerprintHash },
{ "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes },
{ "ignoreunknown", oIgnoreUnknown },
{ NULL, oBadOption }
......@@ -1481,6 +1482,19 @@ parse_int:
intptr = &options->update_hostkeys;
goto parse_flag;
case oHostbasedKeyTypes:
charptr = &options->hostbased_key_types;
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (!sshkey_names_valid2(arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
*charptr = xstrdup(arg);
break;
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
......@@ -1660,6 +1674,7 @@ initialize_options(Options * options)
options->revoked_host_keys = NULL;
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
options->hostbased_key_types = NULL;
}
/*
......@@ -1841,6 +1856,8 @@ fill_default_options(Options * options)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->update_hostkeys == -1)
options->update_hostkeys = 1;
if (options->hostbased_key_types == NULL)
options->hostbased_key_types = xstrdup("*");
#define CLEAR_ON_NONE(v) \
do { \
......@@ -2281,6 +2298,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oControlPath, o->control_path);
dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
dump_cfg_string(oLocalCommand, o->local_command);
......@@ -2289,9 +2307,10 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
dump_cfg_string(oProxyCommand, o->proxy_command);
dump_cfg_string(oXAuthLocation, o->xauth_location);
dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
dump_cfg_string(oXAuthLocation, o->xauth_location);
/* Forwards */
dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);
dump_cfg_forwards(oLocalForward, o->num_local_forwards, o->local_forwards);
dump_cfg_forwards(oRemoteForward, o->num_remote_forwards, o->remote_forwards);
......
/* $OpenBSD: readconf.h,v 1.107 2015/01/26 03:04:45 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.108 2015/01/30 11:43:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
......@@ -150,6 +150,8 @@ typedef struct {
int update_hostkeys;
char *hostbased_key_types;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
......
......@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.65 2015/01/26 13:55:29 jmc Exp $
.\" $OpenBSD: scp.1,v 1.66 2015/01/30 11:43:14 djm Exp $
.\"
.Dd $Mdocdate: January 26 2015 $
.Dd $Mdocdate: January 30 2015 $
.Dt SCP 1
.Os
.Sh NAME
......@@ -150,6 +150,7 @@ For full details of the options listed below, and their possible values, see
.It HashKnownHosts
.It Host
.It HostbasedAuthentication
.It HostbasedKeyTypes
.It HostKeyAlgorithms
.It HostKeyAlias
.It HostName
......
.\" $OpenBSD: sftp.1,v 1.100 2015/01/26 12:16:36 djm Exp $
.\" $OpenBSD: sftp.1,v 1.101 2015/01/30 11:43:14 djm Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
......@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: January 26 2015 $
.Dd $Mdocdate: January 30 2015 $
.Dt SFTP 1
.Os
.Sh NAME
......@@ -215,6 +215,7 @@ For full details of the options listed below, and their possible values, see
.It HashKnownHosts
.It Host
.It HostbasedAuthentication
.It HostbasedKeyTypes
.It HostKeyAlgorithms
.It HostKeyAlias
.It HostName
......
......@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.354 2015/01/26 12:16:36 djm Exp $
.Dd $Mdocdate: January 26 2015 $
.\" $OpenBSD: ssh.1,v 1.355 2015/01/30 11:43:14 djm Exp $
.Dd $Mdocdate: January 30 2015 $
.Dt SSH 1
.Os
.Sh NAME
......@@ -445,6 +445,7 @@ For full details of the options listed below, and their possible values, see
.It HashKnownHosts
.It Host
.It HostbasedAuthentication
.It HostbasedKeyTypes
.It HostKeyAlgorithms
.It HostKeyAlias
.It HostName
......
......@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.201 2015/01/26 12:16:36 djm Exp $
.Dd $Mdocdate: January 26 2015 $
.\" $OpenBSD: ssh_config.5,v 1.202 2015/01/30 11:43:14 djm Exp $
.Dd $Mdocdate: January 30 2015 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
......@@ -777,6 +777,17 @@ The default is
This option applies to protocol version 2 only and
is similar to
.Cm RhostsRSAAuthentication .
.It Cm HostbasedKeyTypes
Specifies the key types that will be used for hostbased authentication
as a comma-separated pattern list.
The default
.Dq *
will allow all key types.
The
.Fl Q
option of
.Xr ssh 1
may be used to list supported key types.
.It Cm HostKeyAlgorithms
Specifies the protocol version 2 host key algorithms
that the client wants to use in order of preference.
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment