mirror of git://anongit.mindrot.org/openssh.git
upstream: add explict check for server hostkey type against
HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from certificate keys to plain keys. ok markus@ OpenBSD-Commit-ID: 364087e4a395ff9b2f42bf3aefdb2090bb23643a
This commit is contained in:
parent
5b28096d31
commit
80fb0eb215
23
clientloop.c
23
clientloop.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
|
/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -2441,25 +2441,6 @@ client_global_hostkeys_prove_confirm(struct ssh *ssh, int type,
|
||||||
client_repledge();
|
client_repledge();
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Returns non-zero if the key is accepted by HostkeyAlgorithms.
|
|
||||||
* Made slightly less trivial by the multiple RSA signature algorithm names.
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
key_accepted_by_hostkeyalgs(const struct sshkey *key)
|
|
||||||
{
|
|
||||||
const char *ktype = sshkey_ssh_name(key);
|
|
||||||
const char *hostkeyalgs = options.hostkeyalgorithms;
|
|
||||||
|
|
||||||
if (key->type == KEY_UNSPEC)
|
|
||||||
return 0;
|
|
||||||
if (key->type == KEY_RSA &&
|
|
||||||
(match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
|
|
||||||
match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
|
|
||||||
return 1;
|
|
||||||
return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Handle hostkeys-00@openssh.com global request to inform the client of all
|
* Handle hostkeys-00@openssh.com global request to inform the client of all
|
||||||
* the server's hostkeys. The keys are checked against the user's
|
* the server's hostkeys. The keys are checked against the user's
|
||||||
|
@ -2504,7 +2485,7 @@ client_input_hostkeys(struct ssh *ssh)
|
||||||
debug3_f("received %s key %s", sshkey_type(key), fp);
|
debug3_f("received %s key %s", sshkey_type(key), fp);
|
||||||
free(fp);
|
free(fp);
|
||||||
|
|
||||||
if (!key_accepted_by_hostkeyalgs(key)) {
|
if (!hostkey_accepted_by_hostkeyalgs(key)) {
|
||||||
debug3_f("%s key not permitted by "
|
debug3_f("%s key not permitted by "
|
||||||
"HostkeyAlgorithms", sshkey_ssh_name(key));
|
"HostkeyAlgorithms", sshkey_ssh_name(key));
|
||||||
continue;
|
continue;
|
||||||
|
|
32
sshconnect.c
32
sshconnect.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect.c,v 1.367 2024/04/23 13:34:50 jsg Exp $ */
|
/* $OpenBSD: sshconnect.c,v 1.368 2024/04/30 02:10:49 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -57,6 +57,7 @@
|
||||||
#include "sshkey.h"
|
#include "sshkey.h"
|
||||||
#include "sshconnect.h"
|
#include "sshconnect.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
#include "match.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "readconf.h"
|
#include "readconf.h"
|
||||||
#include "atomicio.h"
|
#include "atomicio.h"
|
||||||
|
@ -717,6 +718,29 @@ try_tilde_unexpand(const char *path)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Returns non-zero if the key is accepted by HostkeyAlgorithms.
|
||||||
|
* Made slightly less trivial by the multiple RSA signature algorithm names.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
hostkey_accepted_by_hostkeyalgs(const struct sshkey *key)
|
||||||
|
{
|
||||||
|
const char *ktype = sshkey_ssh_name(key);
|
||||||
|
const char *hostkeyalgs = options.hostkeyalgorithms;
|
||||||
|
|
||||||
|
if (key->type == KEY_UNSPEC)
|
||||||
|
return 0;
|
||||||
|
if (key->type == KEY_RSA &&
|
||||||
|
(match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 ||
|
||||||
|
match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1))
|
||||||
|
return 1;
|
||||||
|
if (key->type == KEY_RSA_CERT &&
|
||||||
|
(match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", hostkeyalgs, 0) == 1 ||
|
||||||
|
match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", hostkeyalgs, 0) == 1))
|
||||||
|
return 1;
|
||||||
|
return match_pattern_list(ktype, hostkeyalgs, 0) == 1;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
hostkeys_find_by_key_cb(struct hostkey_foreach_line *l, void *_ctx)
|
hostkeys_find_by_key_cb(struct hostkey_foreach_line *l, void *_ctx)
|
||||||
{
|
{
|
||||||
|
@ -1017,6 +1041,12 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
|
||||||
}
|
}
|
||||||
|
|
||||||
retry:
|
retry:
|
||||||
|
if (!hostkey_accepted_by_hostkeyalgs(host_key)) {
|
||||||
|
error("host key %s not permitted by HostkeyAlgorithms",
|
||||||
|
sshkey_ssh_name(host_key));
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
/* Reload these as they may have changed on cert->key downgrade */
|
/* Reload these as they may have changed on cert->key downgrade */
|
||||||
want_cert = sshkey_is_cert(host_key);
|
want_cert = sshkey_is_cert(host_key);
|
||||||
type = sshkey_type(host_key);
|
type = sshkey_type(host_key);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect.h,v 1.47 2023/10/12 02:18:18 djm Exp $ */
|
/* $OpenBSD: sshconnect.h,v 1.48 2024/04/30 02:10:49 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
|
@ -24,6 +24,8 @@
|
||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
struct sshkey;
|
||||||
|
|
||||||
typedef struct Sensitive Sensitive;
|
typedef struct Sensitive Sensitive;
|
||||||
struct Sensitive {
|
struct Sensitive {
|
||||||
struct sshkey **keys;
|
struct sshkey **keys;
|
||||||
|
@ -94,3 +96,5 @@ void maybe_add_key_to_agent(const char *, struct sshkey *,
|
||||||
void load_hostkeys_command(struct hostkeys *, const char *,
|
void load_hostkeys_command(struct hostkeys *, const char *,
|
||||||
const char *, const struct ssh_conn_info *,
|
const char *, const struct ssh_conn_info *,
|
||||||
const struct sshkey *, const char *);
|
const struct sshkey *, const char *);
|
||||||
|
|
||||||
|
int hostkey_accepted_by_hostkeyalgs(const struct sshkey *);
|
||||||
|
|
Loading…
Reference in New Issue