mirror of git://anongit.mindrot.org/openssh.git
upstream: add CASignatureAlgorithms option for the client, allowing
it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
86e5737c39
commit
ecac7e1f7a
16
readconf.c
16
readconf.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.297 2018/08/12 20:19:13 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
|
@ -172,7 +172,7 @@ typedef enum {
|
|||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes, oProxyJump,
|
||||
oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
|
||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
|
|
@ -266,6 +266,7 @@ static struct {
|
|||
{ "dynamicforward", oDynamicForward },
|
||||
{ "preferredauthentications", oPreferredAuthentications },
|
||||
{ "hostkeyalgorithms", oHostKeyAlgorithms },
|
||||
{ "casignaturealgorithms", oCASignatureAlgorithms },
|
||||
{ "bindaddress", oBindAddress },
|
||||
{ "bindinterface", oBindInterface },
|
||||
{ "clearallforwardings", oClearAllForwardings },
|
||||
|
|
@ -1221,6 +1222,10 @@ parse_keytypes:
|
|||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
case oCASignatureAlgorithms:
|
||||
charptr = &options->ca_sign_algorithms;
|
||||
goto parse_keytypes;
|
||||
|
||||
case oLogLevel:
|
||||
log_level_ptr = &options->log_level;
|
||||
arg = strdelim(&s);
|
||||
|
|
@ -1836,6 +1841,7 @@ initialize_options(Options * options)
|
|||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->ca_sign_algorithms = NULL;
|
||||
options->num_identity_files = 0;
|
||||
options->num_certificate_files = 0;
|
||||
options->hostname = NULL;
|
||||
|
|
@ -1924,7 +1930,7 @@ fill_default_options_for_canonicalization(Options *options)
|
|||
void
|
||||
fill_default_options(Options * options)
|
||||
{
|
||||
char *all_cipher, *all_mac, *all_kex, *all_key;
|
||||
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
|
||||
int r;
|
||||
|
||||
if (options->forward_agent == -1)
|
||||
|
|
@ -2077,6 +2083,7 @@ fill_default_options(Options * options)
|
|||
all_mac = mac_alg_list(',');
|
||||
all_kex = kex_alg_list(',');
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
if ((r = kex_assemble_names(&options->what, \
|
||||
|
|
@ -2088,11 +2095,13 @@ fill_default_options(Options * options)
|
|||
ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
||||
ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
|
|
@ -2614,6 +2623,7 @@ dump_client_config(Options *o, const char *host)
|
|||
dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
|
||||
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
|
||||
dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
|
||||
dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
|
||||
dump_cfg_string(oLocalCommand, o->local_command);
|
||||
dump_cfg_string(oRemoteCommand, o->remote_command);
|
||||
dump_cfg_string(oLogLevel, log_level_name(o->log_level));
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.h,v 1.127 2018/07/19 10:28:47 dtucker Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.128 2018/09/20 03:30:44 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
|
@ -67,6 +67,7 @@ typedef struct {
|
|||
char *macs; /* SSH2 macs in order of preference. */
|
||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||
char *hostname; /* Real host to connect. */
|
||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||
char *proxy_command; /* Proxy command for connecting the host. */
|
||||
|
|
|
|||
16
ssh_config.5
16
ssh_config.5
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $
|
||||
.Dd $Mdocdate: July 23 2018 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $
|
||||
.Dd $Mdocdate: September 20 2018 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -261,6 +261,18 @@ Only useful on systems with more than one address.
|
|||
.It Cm BindInterface
|
||||
Use the address of the specified interface on the local machine as the
|
||||
source address of the connection.
|
||||
.It Cm CASignatureAlgorithms
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
.Xr ssh 1
|
||||
will not accept host certificates signed using algorithms other than those
|
||||
specified.
|
||||
.It Cm CanonicalDomains
|
||||
When
|
||||
.Cm CanonicalizeHostname
|
||||
|
|
|
|||
17
sshconnect.c
17
sshconnect.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect.c,v 1.304 2018/07/27 05:34:42 dtucker Exp $ */
|
||||
/* $OpenBSD: sshconnect.c,v 1.305 2018/09/20 03:30:44 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
|
@ -734,19 +734,28 @@ confirm(const char *prompt)
|
|||
}
|
||||
|
||||
static int
|
||||
check_host_cert(const char *host, const struct sshkey *host_key)
|
||||
check_host_cert(const char *host, const struct sshkey *key)
|
||||
{
|
||||
const char *reason;
|
||||
int r;
|
||||
|
||||
if (sshkey_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
|
||||
if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) {
|
||||
error("%s", reason);
|
||||
return 0;
|
||||
}
|
||||
if (sshbuf_len(host_key->cert->critical) != 0) {
|
||||
if (sshbuf_len(key->cert->critical) != 0) {
|
||||
error("Certificate for %s contains unsupported "
|
||||
"critical options(s)", host);
|
||||
return 0;
|
||||
}
|
||||
if ((r = sshkey_check_cert_sigtype(key,
|
||||
options.ca_sign_algorithms)) != 0) {
|
||||
logit("%s: certificate signature algorithm %s: %s", __func__,
|
||||
(key->cert == NULL || key->cert->signature_type == NULL) ?
|
||||
"(null)" : key->cert->signature_type, ssh_err(r));
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue