mirror of git://anongit.mindrot.org/openssh.git
upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
This commit is contained in:
parent
f80e68ea7d
commit
86e5737c39
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2-hostbased.c,v 1.37 2018/08/28 12:17:45 mestre Exp $ */
|
/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -112,6 +112,13 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
__func__, sshkey_type(key));
|
__func__, sshkey_type(key));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if ((r = sshkey_check_cert_sigtype(key,
|
||||||
|
options.ca_sign_algorithms)) != 0) {
|
||||||
|
logit("%s: certificate signature algorithm %s: %s", __func__,
|
||||||
|
(key->cert == NULL || key->cert->signature_type == NULL) ?
|
||||||
|
"(null)" : key->cert->signature_type, ssh_err(r));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
if (!authctxt->valid || authctxt->user == NULL) {
|
if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
debug2("%s: disabled because of invalid user", __func__);
|
debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */
|
/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
__func__, sshkey_ssh_name(key));
|
__func__, sshkey_ssh_name(key));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if ((r = sshkey_check_cert_sigtype(key,
|
||||||
|
options.ca_sign_algorithms)) != 0) {
|
||||||
|
logit("%s: certificate signature algorithm %s: %s", __func__,
|
||||||
|
(key->cert == NULL || key->cert->signature_type == NULL) ?
|
||||||
|
"(null)" : key->cert->signature_type, ssh_err(r));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
key_s = format_key(key);
|
key_s = format_key(key);
|
||||||
if (sshkey_is_cert(key))
|
if (sshkey_is_cert(key))
|
||||||
ca_s = format_key(key->cert->signature_key);
|
ca_s = format_key(key->cert->signature_key);
|
||||||
|
|
16
servconf.c
16
servconf.c
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
/* $OpenBSD: servconf.c,v 1.340 2018/08/12 20:19:13 djm Exp $ */
|
/* $OpenBSD: servconf.c,v 1.341 2018/09/20 03:28:06 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
|
@ -145,6 +145,7 @@ initialize_server_options(ServerOptions *options)
|
||||||
options->ciphers = NULL;
|
options->ciphers = NULL;
|
||||||
options->macs = NULL;
|
options->macs = NULL;
|
||||||
options->kex_algorithms = NULL;
|
options->kex_algorithms = NULL;
|
||||||
|
options->ca_sign_algorithms = NULL;
|
||||||
options->fwd_opts.gateway_ports = -1;
|
options->fwd_opts.gateway_ports = -1;
|
||||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||||
options->fwd_opts.streamlocal_bind_unlink = -1;
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
||||||
|
@ -191,13 +192,14 @@ option_clear_or_none(const char *o)
|
||||||
static void
|
static void
|
||||||
assemble_algorithms(ServerOptions *o)
|
assemble_algorithms(ServerOptions *o)
|
||||||
{
|
{
|
||||||
char *all_cipher, *all_mac, *all_kex, *all_key;
|
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
all_cipher = cipher_alg_list(',', 0);
|
all_cipher = cipher_alg_list(',', 0);
|
||||||
all_mac = mac_alg_list(',');
|
all_mac = mac_alg_list(',');
|
||||||
all_kex = kex_alg_list(',');
|
all_kex = kex_alg_list(',');
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
#define ASSEMBLE(what, defaults, all) \
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||||
|
@ -209,11 +211,13 @@ assemble_algorithms(ServerOptions *o)
|
||||||
ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
#undef ASSEMBLE
|
#undef ASSEMBLE
|
||||||
free(all_cipher);
|
free(all_cipher);
|
||||||
free(all_mac);
|
free(all_mac);
|
||||||
free(all_kex);
|
free(all_kex);
|
||||||
free(all_key);
|
free(all_key);
|
||||||
|
free(all_sig);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -487,7 +491,7 @@ typedef enum {
|
||||||
sHostCertificate,
|
sHostCertificate,
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||||
sKexAlgorithms, sIPQoS, sVersionAddendum,
|
sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||||
|
@ -1431,6 +1435,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||||
charptr = &options->hostkeyalgorithms;
|
charptr = &options->hostkeyalgorithms;
|
||||||
goto parse_keytypes;
|
goto parse_keytypes;
|
||||||
|
|
||||||
|
case sCASignatureAlgorithms:
|
||||||
|
charptr = &options->ca_sign_algorithms;
|
||||||
|
goto parse_keytypes;
|
||||||
|
|
||||||
case sPubkeyAuthentication:
|
case sPubkeyAuthentication:
|
||||||
intptr = &options->pubkey_authentication;
|
intptr = &options->pubkey_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
@ -2601,6 +2609,8 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||||
dump_cfg_string(sKexAlgorithms,
|
dump_cfg_string(sKexAlgorithms,
|
||||||
o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||||
|
dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
|
||||||
|
o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
|
||||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: servconf.h,v 1.136 2018/07/09 21:26:02 markus Exp $ */
|
/* $OpenBSD: servconf.h,v 1.137 2018/09/20 03:28:06 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
@ -110,6 +110,7 @@ typedef struct {
|
||||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||||
char *hostbased_key_types; /* Key types allowed for hostbased */
|
char *hostbased_key_types; /* Key types allowed for hostbased */
|
||||||
char *hostkeyalgorithms; /* SSH2 server key types */
|
char *hostkeyalgorithms; /* SSH2 server key types */
|
||||||
|
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||||
char *pubkey_key_types; /* Key types allowed for public key */
|
char *pubkey_key_types; /* Key types allowed for public key */
|
||||||
int kerberos_authentication; /* If true, permit Kerberos
|
int kerberos_authentication; /* If true, permit Kerberos
|
||||||
|
@ -242,6 +243,7 @@ struct connection_info {
|
||||||
M_CP_STROPT(authorized_principals_command_user); \
|
M_CP_STROPT(authorized_principals_command_user); \
|
||||||
M_CP_STROPT(hostbased_key_types); \
|
M_CP_STROPT(hostbased_key_types); \
|
||||||
M_CP_STROPT(pubkey_key_types); \
|
M_CP_STROPT(pubkey_key_types); \
|
||||||
|
M_CP_STROPT(ca_sign_algorithms); \
|
||||||
M_CP_STROPT(routing_domain); \
|
M_CP_STROPT(routing_domain); \
|
||||||
M_CP_STROPT(permit_user_env_whitelist); \
|
M_CP_STROPT(permit_user_env_whitelist); \
|
||||||
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
|
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.282 2018/09/20 03:28:06 djm Exp $
|
||||||
.Dd $Mdocdate: July 20 2018 $
|
.Dd $Mdocdate: September 20 2018 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -382,6 +382,17 @@ If the argument is
|
||||||
.Cm none
|
.Cm none
|
||||||
then no banner is displayed.
|
then no banner is displayed.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
The default is:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
Certificates signed using other algorithms will not be accepted for
|
||||||
|
public key or host-based authentication.
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
PAM or through authentication styles supported in
|
PAM or through authentication styles supported in
|
||||||
|
|
Loading…
Reference in New Issue