Attachment #3198 for bug #2924

Lines 158-164 typedef enum { Link Here

(-)a/readconf.c (-1 / +11 lines)
158	oPubkeyAuthentication,	158	oPubkeyAuthentication,
159	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	159	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
160	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	160	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
161	oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,	161	oHostKeyAlgorithms, oHostKeyAlgorithmsOrder, oBindAddress,
		162	oBindInterface, oPKCS11Provider,
162	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	163	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
163	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	164	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
164	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	165	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
Lines 280-285 static struct { Link Here
280	{ "dynamicforward", oDynamicForward },	281	{ "dynamicforward", oDynamicForward },
281	{ "preferredauthentications", oPreferredAuthentications },	282	{ "preferredauthentications", oPreferredAuthentications },
282	{ "hostkeyalgorithms", oHostKeyAlgorithms },	283	{ "hostkeyalgorithms", oHostKeyAlgorithms },
		284	{ "hostkeyalgorithmsorder", oHostKeyAlgorithmsOrder },
283	{ "casignaturealgorithms", oCASignatureAlgorithms },	285	{ "casignaturealgorithms", oCASignatureAlgorithms },
284	{ "bindaddress", oBindAddress },	286	{ "bindaddress", oBindAddress },
285	{ "bindinterface", oBindInterface },	287	{ "bindinterface", oBindInterface },
Lines 1262-1267 parse_int: Link Here
1262	options->kex_algorithms = xstrdup(arg);	1264	options->kex_algorithms = xstrdup(arg);
1263	break;	1265	break;
1264		1266
		1267	case oHostKeyAlgorithmsOrder:
		1268	intptr = &options->hostkeyalgorithms_order;
		1269	goto parse_flag;
		1270
1265	case oHostKeyAlgorithms:	1271	case oHostKeyAlgorithms:
1266	charptr = &options->hostkeyalgorithms;	1272	charptr = &options->hostkeyalgorithms;
1267	parse_keytypes:	1273	parse_keytypes:
Lines 1913-1918 initialize_options(Options * options) Link Here
1913	options->macs = NULL;	1919	options->macs = NULL;
1914	options->kex_algorithms = NULL;	1920	options->kex_algorithms = NULL;
1915	options->hostkeyalgorithms = NULL;	1921	options->hostkeyalgorithms = NULL;
		1922	options->hostkeyalgorithms_order = -1;
1916	options->ca_sign_algorithms = NULL;	1923	options->ca_sign_algorithms = NULL;
1917	options->num_identity_files = 0;	1924	options->num_identity_files = 0;
1918	options->num_certificate_files = 0;	1925	options->num_certificate_files = 0;
Lines 2077-2082 fill_default_options(Options * options) Link Here
2077	if (options->number_of_password_prompts == -1)	2084	if (options->number_of_password_prompts == -1)
2078	options->number_of_password_prompts = 3;	2085	options->number_of_password_prompts = 3;
2079	/* options->hostkeyalgorithms, default set in myproposals.h */	2086	/* options->hostkeyalgorithms, default set in myproposals.h */
		2087	if (options->hostkeyalgorithms_order == -1)
		2088	options->hostkeyalgorithms_order = 0;
2080	if (options->add_keys_to_agent == -1)	2089	if (options->add_keys_to_agent == -1)
2081	options->add_keys_to_agent = 0;	2090	options->add_keys_to_agent = 0;
2082	if (options->num_identity_files == 0) {	2091	if (options->num_identity_files == 0) {
Lines 2669-2674 dump_client_config(Options o, const char host) Link Here
2669	#endif /* GSSAPI */	2678	#endif /* GSSAPI */
2670	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2679	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2671	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2680	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
		2681	dump_cfg_fmtint(oHostKeyAlgorithmsOrder, o->hostkeyalgorithms_order);
2672	dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);	2682	dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);
2673	dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);	2683	dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);
2674	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);	2684	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);

Lines 72-77 typedef struct { Link Here

(-)a/readconf.h (+1 lines)
72	char ciphers; / SSH2 ciphers in order of preference. */	72	char ciphers; / SSH2 ciphers in order of preference. */
73	char macs; / SSH2 macs in order of preference. */	73	char macs; / SSH2 macs in order of preference. */
74	char hostkeyalgorithms; / SSH2 server key types in order of preference. */	74	char hostkeyalgorithms; / SSH2 server key types in order of preference. */
		75	int hostkeyalgorithms_order; /* Order the specified host key algorithms */
75	char kex_algorithms; / SSH2 kex methods in order of preference. */	76	char kex_algorithms; / SSH2 kex methods in order of preference. */
76	char ca_sign_algorithms; / Allowed CA signature algorithms */	77	char ca_sign_algorithms; / Allowed CA signature algorithms */
77	char hostname; / Real host to connect. */	78	char hostname; / Real host to connect. */

Lines 867-872 to prefer their algorithms. Link Here

(-)a/ssh_config.5 (+6 lines)
867	.Pp	867	.Pp
868	The list of available key types may also be obtained using	868	The list of available key types may also be obtained using
869	.Qq ssh -Q key .	869	.Qq ssh -Q key .
		870	.It Cm HostKeyAlgorithmsOrder
		871	If hostkeys specified by
		872	.Cm HostKeyAlgorithmsOrder
		873	are not ordered, this allows ordering them based on the known hosts available.
		874	Default is
		875	.Cm no .
870	.It Cm HostKeyAlias	876	.It Cm HostKeyAlias
871	Specifies an alias that should be used instead of the	877	Specifies an alias that should be used instead of the
872	real host name when looking up or saving the host key	878	real host name when looking up or saving the host key




}

static char *
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *avail)
{
	char *oavail, *first, *last, *alg, *hostname, *ret;
	size_t maxlen;
	struct hostkeys *hostkeys;
	int ktype;

	for (i = 0; i < options.num_system_hostfiles; i++)
		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);

	oavail = avail = xstrdup(avail);
	maxlen = strlen(avail) + 1;
	first = xmalloc(maxlen);
	last = xmalloc(maxlen);

		    KEX_DEFAULT_PK_ALG, all_key) != 0)
			fatal("%s: kex_assemble_namelist", __func__);
		free(all_key);
		if (options.hostkeyalgorithms_order) {
			char *tmp = options.hostkeyalgorithms;
			options.hostkeyalgorithms = order_hostkeyalgs(host,
			    hostaddr, port, options.hostkeyalgorithms);
			free(tmp);
		}
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
		    compat_pkalg_proposal(options.hostkeyalgorithms);
	} else {

		/* Prefer algorithms that we already have keys for */
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
		    compat_pkalg_proposal(
		    order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
	}

#ifdef GSSAPI
- 

Return to bug 2924

Lines 101-109 verify_host_key_callback(struct sshkey hostkey, struct ssh ssh) Link Here

(-)a/sshconnect2.c (-5 / +10 lines)
101	}	101	}
102		102
103	static char *	103	static char *
104	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)	104	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port, char *avail)
105	{	105	{
106	char oavail, avail, first, last, alg, hostname, *ret;	106	char oavail, first, last, alg, hostname, ret;
107	size_t maxlen;	107	size_t maxlen;
108	struct hostkeys *hostkeys;	108	struct hostkeys *hostkeys;
109	int ktype;	109	int ktype;
Lines 117-123 order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port) Link Here
117	for (i = 0; i < options.num_system_hostfiles; i++)	117	for (i = 0; i < options.num_system_hostfiles; i++)
118	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);	118	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
119		119
120	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);	120	oavail = avail = xstrdup(avail);
121	maxlen = strlen(avail) + 1;	121	maxlen = strlen(avail) + 1;
122	first = xmalloc(maxlen);	122	first = xmalloc(maxlen);
123	last = xmalloc(maxlen);	123	last = xmalloc(maxlen);
Lines 209-214 ssh_kex2(char host, struct sockaddr hostaddr, u_short port) Link Here
209	KEX_DEFAULT_PK_ALG, all_key) != 0)	209	KEX_DEFAULT_PK_ALG, all_key) != 0)
210	fatal("%s: kex_assemble_namelist", __func__);	210	fatal("%s: kex_assemble_namelist", __func__);
211	free(all_key);	211	free(all_key);
		212	if (options.hostkeyalgorithms_order) {
		213	char *tmp = options.hostkeyalgorithms;
		214	options.hostkeyalgorithms = order_hostkeyalgs(host,
		215	hostaddr, port, options.hostkeyalgorithms);
		216	free(tmp);
		217	}
212	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =	218	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
213	compat_pkalg_proposal(options.hostkeyalgorithms);	219	compat_pkalg_proposal(options.hostkeyalgorithms);
214	} else {	220	} else {
Lines 217-223 ssh_kex2(char host, struct sockaddr hostaddr, u_short port) Link Here
217	/* Prefer algorithms that we already have keys for */	223	/* Prefer algorithms that we already have keys for */
218	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =	224	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
219	compat_pkalg_proposal(	225	compat_pkalg_proposal(
220	order_hostkeyalgs(host, hostaddr, port));	226	order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
221	}	227	}
222		228
223	#ifdef GSSAPI	229	#ifdef GSSAPI
224	-