mirror of git://anongit.mindrot.org/openssh.git
upstream: Add ModuliFile keyword to sshd_config to specify the
location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
This commit is contained in:
parent
f07519a2af
commit
88057eb6df
23
dh.c
23
dh.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: dh.c,v 1.72 2020/10/18 11:32:01 djm Exp $ */
|
/* $OpenBSD: dh.c,v 1.73 2021/03/12 04:08:19 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -45,6 +45,18 @@
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
|
static const char *moduli_filename;
|
||||||
|
|
||||||
|
void dh_set_moduli_file(const char *filename)
|
||||||
|
{
|
||||||
|
moduli_filename = filename;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char * get_moduli_filename(void)
|
||||||
|
{
|
||||||
|
return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||||
{
|
{
|
||||||
|
@ -152,9 +164,9 @@ choose_dh(int min, int wantbits, int max)
|
||||||
int best, bestcount, which, linenum;
|
int best, bestcount, which, linenum;
|
||||||
struct dhgroup dhg;
|
struct dhgroup dhg;
|
||||||
|
|
||||||
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
|
||||||
logit("WARNING: could not open %s (%s), using fixed modulus",
|
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||||
_PATH_DH_MODULI, strerror(errno));
|
get_moduli_filename(), strerror(errno));
|
||||||
return (dh_new_group_fallback(max));
|
return (dh_new_group_fallback(max));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -185,7 +197,8 @@ choose_dh(int min, int wantbits, int max)
|
||||||
|
|
||||||
if (bestcount == 0) {
|
if (bestcount == 0) {
|
||||||
fclose(f);
|
fclose(f);
|
||||||
logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
|
logit("WARNING: no suitable primes in %s",
|
||||||
|
get_moduli_filename());
|
||||||
return (dh_new_group_fallback(max));
|
return (dh_new_group_fallback(max));
|
||||||
}
|
}
|
||||||
which = arc4random_uniform(bestcount);
|
which = arc4random_uniform(bestcount);
|
||||||
|
@ -210,7 +223,7 @@ choose_dh(int min, int wantbits, int max)
|
||||||
fclose(f);
|
fclose(f);
|
||||||
if (bestcount != which + 1) {
|
if (bestcount != which + 1) {
|
||||||
logit("WARNING: selected prime disappeared in %s, giving up",
|
logit("WARNING: selected prime disappeared in %s, giving up",
|
||||||
_PATH_DH_MODULI);
|
get_moduli_filename());
|
||||||
return (dh_new_group_fallback(max));
|
return (dh_new_group_fallback(max));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
3
dh.h
3
dh.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: dh.h,v 1.18 2019/09/06 05:23:55 djm Exp $ */
|
/* $OpenBSD: dh.h,v 1.19 2021/03/12 04:08:19 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||||
|
@ -47,6 +47,7 @@ int dh_gen_key(DH *, int);
|
||||||
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
u_int dh_estimate(int);
|
||||||
|
void dh_set_moduli_file(const char *);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Max value from RFC4419.
|
* Max value from RFC4419.
|
||||||
|
|
12
servconf.c
12
servconf.c
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
/* $OpenBSD: servconf.c,v 1.377 2021/02/24 01:18:08 dtucker Exp $ */
|
/* $OpenBSD: servconf.c,v 1.378 2021/03/12 04:08:19 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
|
@ -305,6 +305,8 @@ fill_default_server_options(ServerOptions *options)
|
||||||
add_listen_addr(options, NULL, NULL, 0);
|
add_listen_addr(options, NULL, NULL, 0);
|
||||||
if (options->pid_file == NULL)
|
if (options->pid_file == NULL)
|
||||||
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
|
||||||
|
if (options->moduli_file == NULL)
|
||||||
|
options->moduli_file = xstrdup(_PATH_DH_MODULI);
|
||||||
if (options->login_grace_time == -1)
|
if (options->login_grace_time == -1)
|
||||||
options->login_grace_time = 120;
|
options->login_grace_time = 120;
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
if (options->permit_root_login == PERMIT_NOT_SET)
|
||||||
|
@ -500,7 +502,7 @@ typedef enum {
|
||||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||||
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
||||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
|
||||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
|
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
|
||||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||||
|
@ -548,6 +550,7 @@ static struct {
|
||||||
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
|
||||||
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
|
||||||
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
{ "pidfile", sPidFile, SSHCFG_GLOBAL },
|
||||||
|
{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
|
||||||
{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
|
{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
|
||||||
{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
|
{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
|
||||||
{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
|
{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
|
||||||
|
@ -1451,6 +1454,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case sModuliFile:
|
||||||
|
charptr = &options->moduli_file;
|
||||||
|
goto parse_filename;
|
||||||
|
|
||||||
case sPermitRootLogin:
|
case sPermitRootLogin:
|
||||||
intptr = &options->permit_root_login;
|
intptr = &options->permit_root_login;
|
||||||
multistate_ptr = multistate_permitrootlogin;
|
multistate_ptr = multistate_permitrootlogin;
|
||||||
|
@ -2875,6 +2882,7 @@ dump_config(ServerOptions *o)
|
||||||
|
|
||||||
/* string arguments */
|
/* string arguments */
|
||||||
dump_cfg_string(sPidFile, o->pid_file);
|
dump_cfg_string(sPidFile, o->pid_file);
|
||||||
|
dump_cfg_string(sModuliFile, o->moduli_file);
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
dump_cfg_string(sCiphers, o->ciphers);
|
dump_cfg_string(sCiphers, o->ciphers);
|
||||||
dump_cfg_string(sMacs, o->macs);
|
dump_cfg_string(sMacs, o->macs);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: servconf.h,v 1.151 2021/01/26 05:32:21 dtucker Exp $ */
|
/* $OpenBSD: servconf.h,v 1.152 2021/03/12 04:08:19 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
@ -93,6 +93,7 @@ typedef struct {
|
||||||
|
|
||||||
char *host_key_agent; /* ssh-agent socket for host keys. */
|
char *host_key_agent; /* ssh-agent socket for host keys. */
|
||||||
char *pid_file; /* Where to put our pid */
|
char *pid_file; /* Where to put our pid */
|
||||||
|
char *moduli_file; /* moduli file for DH-GEX */
|
||||||
int login_grace_time; /* Disconnect if no auth in this time
|
int login_grace_time; /* Disconnect if no auth in this time
|
||||||
* (sec). */
|
* (sec). */
|
||||||
int permit_root_login; /* PERMIT_*, see above */
|
int permit_root_login; /* PERMIT_*, see above */
|
||||||
|
|
6
sshd.c
6
sshd.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshd.c,v 1.570 2021/02/05 02:20:23 dtucker Exp $ */
|
/* $OpenBSD: sshd.c,v 1.571 2021/03/12 04:08:19 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -124,6 +124,7 @@
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "sk-api.h"
|
#include "sk-api.h"
|
||||||
#include "srclimit.h"
|
#include "srclimit.h"
|
||||||
|
#include "dh.h"
|
||||||
|
|
||||||
/* Re-exec fds */
|
/* Re-exec fds */
|
||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||||
|
@ -1724,6 +1725,9 @@ main(int ac, char **av)
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||||
cfg, &includes, NULL);
|
cfg, &includes, NULL);
|
||||||
|
|
||||||
|
if (options.moduli_file != NULL)
|
||||||
|
dh_set_moduli_file(options.moduli_file);
|
||||||
|
|
||||||
/* Fill in default values for those options not explicitly set. */
|
/* Fill in default values for those options not explicitly set. */
|
||||||
fill_default_server_options(&options);
|
fill_default_server_options(&options);
|
||||||
|
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.328 2021/02/27 23:42:37 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.329 2021/03/12 04:08:19 dtucker Exp $
|
||||||
.Dd $Mdocdate: February 27 2021 $
|
.Dd $Mdocdate: March 12 2021 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -1256,6 +1256,16 @@ will refuse connection attempts with a probability of rate/100 (30%)
|
||||||
if there are currently start (10) unauthenticated connections.
|
if there are currently start (10) unauthenticated connections.
|
||||||
The probability increases linearly and all connection attempts
|
The probability increases linearly and all connection attempts
|
||||||
are refused if the number of unauthenticated connections reaches full (60).
|
are refused if the number of unauthenticated connections reaches full (60).
|
||||||
|
.It Cm ModuliFile
|
||||||
|
Specifies the
|
||||||
|
.Xr moduli 5
|
||||||
|
file that contains the Diffie-Hellman groups used for the
|
||||||
|
.Dq diffie-hellman-group-exchange-sha1
|
||||||
|
and
|
||||||
|
.Dq diffie-hellman-group-exchange-sha256
|
||||||
|
key exchange methods.
|
||||||
|
The default is
|
||||||
|
.Pa /etc/moduli .
|
||||||
.It Cm PasswordAuthentication
|
.It Cm PasswordAuthentication
|
||||||
Specifies whether password authentication is allowed.
|
Specifies whether password authentication is allowed.
|
||||||
The default is
|
The default is
|
||||||
|
|
Loading…
Reference in New Issue