Attachment #2532 for bug #2211




	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
	oFingerprintHash, oHostbasedKeyTypes,
	oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
	{ "revokedhostkeys", oRevokedHostKeys },
	{ "fingerprinthash", oFingerprintHash },
	{ "hostbasedkeytypes", oHostbasedKeyTypes },
	{ "ignoreunknown", oIgnoreUnknown },

	{ NULL, oBadOption }

			*intptr = value;
		break;

	case oHostbasedKeyTypes:
		charptr = &options->hostbased_key_types;

parse_keytypes:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		if (!sshkey_names_valid2(arg, 1))
			fatal("%s line %d: Bad key types '%s'.",
				filename, linenum, arg ? arg : "<NONE>");
		if (*activep && *charptr == NULL)
			*charptr = xstrdup(arg);
		break;

	case oDeprecated:
		debug("%s line %d: Deprecated option \"%s\"",
		    filename, linenum, keyword);

	options->canonicalize_hostname = -1;
	options->revoked_host_keys = NULL;
	options->fingerprint_hash = -1;
	options->hostbased_key_types = NULL;
}

/*

		options->canonicalize_hostname = SSH_CANONICALISE_NO;
	if (options->fingerprint_hash == -1)
		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
	if (options->hostbased_key_types == NULL)
		options->hostbased_key_types = xstrdup("*");

#define CLEAR_ON_NONE(v) \
	do { \

	dump_cfg_string(oBindAddress, o->bind_address);
	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
	dump_cfg_string(oControlPath, o->control_path);
	dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);

Lines 148-153 typedef struct { Link Here

(-)a/readconf.h (+2 lines)
148		148
149	int fingerprint_hash;	149	int fingerprint_hash;
150		150
		151	char *hostbased_key_types;
		152
151	char ignored_unknown; / Pattern list of unknown tokens to ignore */	153	char ignored_unknown; / Pattern list of unknown tokens to ignore */
152	} Options;	154	} Options;
153		155

Lines 150-155 For full details of the options listed below, and their possible values, see Link Here

(-)a/scp.1 (+1 lines)
150	.It HashKnownHosts	150	.It HashKnownHosts
151	.It Host	151	.It Host
152	.It HostbasedAuthentication	152	.It HostbasedAuthentication
		153	.It HostbasedKeyTypes
153	.It HostKeyAlgorithms	154	.It HostKeyAlgorithms
154	.It HostKeyAlias	155	.It HostKeyAlias
155	.It HostName	156	.It HostName

Lines 215-220 For full details of the options listed below, and their possible values, see Link Here

(-)a/sftp.1 (+1 lines)
215	.It HashKnownHosts	215	.It HashKnownHosts
216	.It Host	216	.It Host
217	.It HostbasedAuthentication	217	.It HostbasedAuthentication
		218	.It HostbasedKeyTypes
218	.It HostKeyAlgorithms	219	.It HostKeyAlgorithms
219	.It HostKeyAlias	220	.It HostKeyAlias
220	.It HostName	221	.It HostName

Lines 445-450 For full details of the options listed below, and their possible values, see Link Here

(-)a/ssh.1 (+1 lines)
445	.It HashKnownHosts	445	.It HashKnownHosts
446	.It Host	446	.It Host
447	.It HostbasedAuthentication	447	.It HostbasedAuthentication
		448	.It HostbasedKeyTypes
448	.It HostKeyAlgorithms	449	.It HostKeyAlgorithms
449	.It HostKeyAlias	450	.It HostKeyAlias
450	.It HostName	451	.It HostName




			sensitive_data.external_keysign = 1;
		}
	}

	Key *hostkey;
	for (i = 1; i < sensitive_data.nkeys; i++) {
		hostkey = sensitive_data.keys[i];
		if (hostkey && hostkey->type &&
		    match_pattern_list(sshkey_ssh_name(hostkey),
		    options.hostbased_key_types,
		    strlen(options.hostbased_key_types), 0) != 1) {
			debug2("key type %s not in HostbasedKeyTypes",
				sshkey_type(hostkey));
			sshkey_free(hostkey);
			sensitive_data.keys[i] = NULL;
		}
	}

	/*
	 * Get rid of any extra privileges that we may have.  We will no
	 * longer need them.  Also, extra privileges could make it very hard




This option applies to protocol version 2 only and
is similar to
.Cm RhostsRSAAuthentication .
.It Cm HostbasedKeyTypes
Specifies the key types that will be used for hostbased authentication
as a comma-separated pattern list.
The default
.Dq *
will allow all key types.
The
.Fl Q
option of
.Xr ssh 1
may be used to list supported key types.
.It Cm HostKeyAlgorithms
Specifies the protocol version 2 host key algorithms
that the client wants to use in order of preference.

Return to bug 2211

Lines 156-162 typedef enum { Link Here

(-)a/readconf.c (-1 / +21 lines)
156	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,	156	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
157	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	157	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
158	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,	158	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
159	oFingerprintHash,	159	oFingerprintHash, oHostbasedKeyTypes,
160	oIgnoredUnknownOption, oDeprecated, oUnsupported	160	oIgnoredUnknownOption, oDeprecated, oUnsupported
161	} OpCodes;	161	} OpCodes;
162		162
Lines 273-278 static struct { Link Here
273	{ "streamlocalbindunlink", oStreamLocalBindUnlink },	273	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
274	{ "revokedhostkeys", oRevokedHostKeys },	274	{ "revokedhostkeys", oRevokedHostKeys },
275	{ "fingerprinthash", oFingerprintHash },	275	{ "fingerprinthash", oFingerprintHash },
		276	{ "hostbasedkeytypes", oHostbasedKeyTypes },
276	{ "ignoreunknown", oIgnoreUnknown },	277	{ "ignoreunknown", oIgnoreUnknown },
277		278
278	{ NULL, oBadOption }	279	{ NULL, oBadOption }
Lines 1476-1481 parse_int: Link Here
1476	*intptr = value;	1477	*intptr = value;
1477	break;	1478	break;
1478		1479
		1480	case oHostbasedKeyTypes:
		1481	charptr = &options->hostbased_key_types;
		1482
		1483	parse_keytypes:
		1484	arg = strdelim(&s);
		1485	if (!arg \|\| *arg == '\0')
		1486	fatal("%.200s line %d: Missing argument.",
		1487	filename, linenum);
		1488	if (!sshkey_names_valid2(arg, 1))
		1489	fatal("%s line %d: Bad key types '%s'.",
		1490	filename, linenum, arg ? arg : "<NONE>");
		1491	if (activep && charptr == NULL)
		1492	*charptr = xstrdup(arg);
		1493	break;
		1494
1479	case oDeprecated:	1495	case oDeprecated:
1480	debug("%s line %d: Deprecated option \"%s\"",	1496	debug("%s line %d: Deprecated option \"%s\"",
1481	filename, linenum, keyword);	1497	filename, linenum, keyword);
Lines 1654-1659 initialize_options(Options * options) Link Here
1654	options->canonicalize_hostname = -1;	1670	options->canonicalize_hostname = -1;
1655	options->revoked_host_keys = NULL;	1671	options->revoked_host_keys = NULL;
1656	options->fingerprint_hash = -1;	1672	options->fingerprint_hash = -1;
		1673	options->hostbased_key_types = NULL;
1657	}	1674	}
1658		1675
1659	/*	1676	/*
Lines 1833-1838 fill_default_options(Options * options) Link Here
1833	options->canonicalize_hostname = SSH_CANONICALISE_NO;	1850	options->canonicalize_hostname = SSH_CANONICALISE_NO;
1834	if (options->fingerprint_hash == -1)	1851	if (options->fingerprint_hash == -1)
1835	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	1852	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
		1853	if (options->hostbased_key_types == NULL)
		1854	options->hostbased_key_types = xstrdup("*");
1836		1855
1837	#define CLEAR_ON_NONE(v) \	1856	#define CLEAR_ON_NONE(v) \
1838	do { \	1857	do { \
Lines 2270-2275 dump_client_config(Options o, const char host) Link Here
2270	dump_cfg_string(oBindAddress, o->bind_address);	2289	dump_cfg_string(oBindAddress, o->bind_address);
2271	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);	2290	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
2272	dump_cfg_string(oControlPath, o->control_path);	2291	dump_cfg_string(oControlPath, o->control_path);
		2292	dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
2273	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);	2293	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2274	dump_cfg_string(oHostKeyAlias, o->host_key_alias);	2294	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
2275	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);	2295	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);

Lines 1200-1205 main(int ac, char **av) Link Here

(-)a/ssh.c (+15 lines)
1200	sensitive_data.external_keysign = 1;	1200	sensitive_data.external_keysign = 1;
1201	}	1201	}
1202	}	1202	}
		1203
		1204	Key *hostkey;
		1205	for (i = 1; i < sensitive_data.nkeys; i++) {
		1206	hostkey = sensitive_data.keys[i];
		1207	if (hostkey && hostkey->type &&
		1208	match_pattern_list(sshkey_ssh_name(hostkey),
		1209	options.hostbased_key_types,
		1210	strlen(options.hostbased_key_types), 0) != 1) {
		1211	debug2("key type %s not in HostbasedKeyTypes",
		1212	sshkey_type(hostkey));
		1213	sshkey_free(hostkey);
		1214	sensitive_data.keys[i] = NULL;
		1215	}
		1216	}
		1217
1203	/*	1218	/*
1204	* Get rid of any extra privileges that we may have. We will no	1219	* Get rid of any extra privileges that we may have. We will no
1205	* longer need them. Also, extra privileges could make it very hard	1220	* longer need them. Also, extra privileges could make it very hard

Lines 777-782 The default is Link Here

(-)a/ssh_config.5 (+11 lines)
777	This option applies to protocol version 2 only and	777	This option applies to protocol version 2 only and
778	is similar to	778	is similar to
779	.Cm RhostsRSAAuthentication .	779	.Cm RhostsRSAAuthentication .
		780	.It Cm HostbasedKeyTypes
		781	Specifies the key types that will be used for hostbased authentication
		782	as a comma-separated pattern list.
		783	The default
		784	.Dq *
		785	will allow all key types.
		786	The
		787	.Fl Q
		788	option of
		789	.Xr ssh 1
		790	may be used to list supported key types.
780	.It Cm HostKeyAlgorithms	791	.It Cm HostKeyAlgorithms
781	Specifies the protocol version 2 host key algorithms	792	Specifies the protocol version 2 host key algorithms
782	that the client wants to use in order of preference.	793	that the client wants to use in order of preference.