Attachment #2308 for bug #1974





/* hostkey handling */
Key	*get_hostkey_by_index(int);
Key	*get_hostkey_public_by_index(int);
Key	*get_hostkey_public_by_type(int);
Key	*get_hostkey_private_by_type(int);
int	 get_hostkey_index(Key *);
int	 ssh1_session_key(BIGNUM *);
void	 sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);

/* debug messages during authentication */
void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

Lines 136-141 struct Kex { Link Here

(-)kex.h (+1 lines)
136	Key (load_host_public_key)(int);	136	Key (load_host_public_key)(int);
137	Key (load_host_private_key)(int);	137	Key (load_host_private_key)(int);
138	int (host_key_index)(Key );	138	int (host_key_index)(Key );
		139	void (sign)(Key , Key , u_char , u_int , u_char *, u_int);
139	void (kex[KEX_MAX])(Kex );	140	void (kex[KEX_MAX])(Kex );
140	};	141	};
141		142




	if (server_host_public == NULL)
		fatal("Unsupported hostkey type %d", kex->hostkey_type);
	server_host_private = kex->load_host_private_key(kex->hostkey_type);
	if (server_host_private == NULL)
		fatal("Missing private key for hostkey type %d",
		    kex->hostkey_type);

	/* key, cert */
	if ((dh_client_pub = BN_new()) == NULL)

	}

	/* sign H */
	kex->sign(server_host_private, server_host_public, &signature, &slen,
	    hash, hashlen);
		fatal("kexdh_server: key_sign failed");

	/* destroy_sensitive_data(); */





	if (server_host_public == NULL)
		fatal("Unsupported hostkey type %d", kex->hostkey_type);
	server_host_private = kex->load_host_private_key(kex->hostkey_type);
	if (server_host_private == NULL)
		fatal("Missing private key for hostkey type %d",
		    kex->hostkey_type);

	debug("expecting SSH2_MSG_KEX_ECDH_INIT");
	packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);

	}

	/* sign H */
	kex->sign(server_host_private, server_host_public, &signature, &slen,
	    hash, hashlen);
		fatal("kexdh_server: key_sign failed");

	/* destroy_sensitive_data(); */





	if (server_host_public == NULL)
		fatal("Unsupported hostkey type %d", kex->hostkey_type);
	server_host_private = kex->load_host_private_key(kex->hostkey_type);
	if (server_host_private == NULL)
		fatal("Missing private key for hostkey type %d",
		    kex->hostkey_type);


	type = packet_read();
	switch (type) {

	}

	/* sign H */
	kex->sign(server_host_private, server_host_public, &signature, &slen,
	    hash, hashlen);
		fatal("kexgex_server: key_sign failed");

	/* destroy_sensitive_data(); */


Lines 75-80 Link Here

(-)monitor.c (-3 / +13 lines)
75	#include "ssh2.h"	75	#include "ssh2.h"
76	#include "jpake.h"	76	#include "jpake.h"
77	#include "roaming.h"	77	#include "roaming.h"
		78	#include "authfd.h"
78		79
79	#ifdef GSSAPI	80	#ifdef GSSAPI
80	static Gssctxt *gsscontext = NULL;	81	static Gssctxt *gsscontext = NULL;
Lines 594-599 mm_answer_moduli(int sock, Buffer *m) Link Here
594	return (0);	595	return (0);
595	}	596	}
596		597
		598	extern AuthenticationConnection *auth_conn;
		599
597	int	600	int
598	mm_answer_sign(int sock, Buffer *m)	601	mm_answer_sign(int sock, Buffer *m)
599	{	602	{
Lines 622-631 mm_answer_sign(int sock, Buffer *m) Link Here
622	memcpy(session_id2, p, session_id2_len);	625	memcpy(session_id2, p, session_id2_len);
623	}	626	}
624		627
625	if ((key = get_hostkey_by_index(keyid)) == NULL)	628	if ((key = get_hostkey_by_index(keyid)) != NULL) {
		629	if (key_sign(key, &signature, &siglen, p, datlen) < 0)
		630	fatal("%s: key_sign failed", __func__);
		631	} else if ((key = get_hostkey_public_by_index(keyid)) != NULL &&
		632	auth_conn != NULL) {
		633	if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p,
		634	datlen) < 0)
		635	fatal("%s: ssh_agent_sign failed", __func__);
		636	} else
626	fatal("%s: no hostkey from index %d", __func__, keyid);	637	fatal("%s: no hostkey from index %d", __func__, keyid);
627	if (key_sign(key, &signature, &siglen, p, datlen) < 0)
628	fatal("%s: key_sign failed", __func__);
629		638
630	debug3("%s: signature %p(%u)", __func__, signature, siglen);	639	debug3("%s: signature %p(%u)", __func__, signature, siglen);
631		640
Lines 1533-1538 mm_get_kex(Buffer *m) Link Here
1533	kex->load_host_public_key=&get_hostkey_public_by_type;	1542	kex->load_host_public_key=&get_hostkey_public_by_type;
1534	kex->load_host_private_key=&get_hostkey_private_by_type;	1543	kex->load_host_private_key=&get_hostkey_private_by_type;
1535	kex->host_key_index=&get_hostkey_index;	1544	kex->host_key_index=&get_hostkey_index;
		1545	kex->sign = sshd_hostkey_sign;
1536		1546
1537	return (kex);	1547	return (kex);
1538	}	1548	}




	options->address_family = -1;
	options->num_host_key_files = 0;
	options->num_host_cert_files = 0;
	options->host_key_agent = NULL;
	options->pid_file = NULL;
	options->server_key_bits = -1;
	options->login_grace_time = -1;

	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
	sKexAlgorithms, sIPQoS, sVersionAddendum,
	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
	sAuthenticationMethods, sHostKeyAgent,
	sDeprecated, sUnsupported
} ServerOpCodes;


	{ "port", sPort, SSHCFG_GLOBAL },
	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },

		}
		break;

	case sHostKeyAgent:
		charptr = &options->host_key_agent;
		goto parse_filename;

	case sHostCertificate:
		intptr = &options->num_host_cert_files;
		if (*intptr >= MAX_HOSTKEYS)

	dump_cfg_string(sVersionAddendum, o->version_addendum);
	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
	dump_cfg_string(sHostKeyAgent, o->host_key_agent);

	/* string arguments requiring a lookup */
	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 65-70 typedef struct { Link Here

(-)servconf.h (+1 lines)
65	int num_host_key_files; /* Number of files for host keys. */	65	int num_host_key_files; /* Number of files for host keys. */
66	char host_cert_files[MAX_HOSTCERTS]; / Files containing host certs. */	66	char host_cert_files[MAX_HOSTCERTS]; / Files containing host certs. */
67	int num_host_cert_files; /* Number of files for host certs. */	67	int num_host_cert_files; /* Number of files for host certs. */
		68	char host_key_agent; / ssh-agent socket for host keys. */
68	char pid_file; / Where to put our pid */	69	char pid_file; / Where to put our pid */
69	int server_key_bits;/* Size of the server key. */	70	int server_key_bits;/* Size of the server key. */
70	int login_grace_time; /* Disconnect if no auth in this time	71	int login_grace_time; /* Disconnect if no auth in this time

Lines 70-75 Link Here

(-)session.c (+8 lines)
70	#include "hostfile.h"	70	#include "hostfile.h"
71	#include "auth.h"	71	#include "auth.h"
72	#include "auth-options.h"	72	#include "auth-options.h"
		73	#include "authfd.h"
73	#include "pathnames.h"	74	#include "pathnames.h"
74	#include "log.h"	75	#include "log.h"
75	#include "servconf.h"	76	#include "servconf.h"
Lines 1261-1266 launch_login(struct passwd pw, const char hostname) Link Here
1261	static void	1262	static void
1262	child_close_fds(void)	1263	child_close_fds(void)
1263	{	1264	{
		1265	extern AuthenticationConnection *auth_conn;
		1266
		1267	if (auth_conn) {
		1268	ssh_close_authentication_connection(auth_conn);
		1269	auth_conn = NULL;
		1270	}
		1271
1264	if (packet_get_connection_in() == packet_get_connection_out())	1272	if (packet_get_connection_in() == packet_get_connection_out())
1265	close(packet_get_connection_in());	1273	close(packet_get_connection_in());
1266	else {	1274	else {

Lines 90-95 Link Here

(-)sshd.c (-7 / +73 lines)
90	#include "canohost.h"	90	#include "canohost.h"
91	#include "hostfile.h"	91	#include "hostfile.h"
92	#include "auth.h"	92	#include "auth.h"
		93	#include "authfd.h"
93	#include "misc.h"	94	#include "misc.h"
94	#include "msg.h"	95	#include "msg.h"
95	#include "dispatch.h"	96	#include "dispatch.h"
Lines 177-182 char *server_version_string = NULL; Link Here
177	/* for rekeying XXX fixme */	178	/* for rekeying XXX fixme */
178	Kex *xxx_kex;	179	Kex *xxx_kex;
179		180
		181	/* Daemon's agent connection */
		182	AuthenticationConnection *auth_conn = NULL;
		183
180	/*	184	/*
181	* Any really sensitive data in the application is contained in this	185	* Any really sensitive data in the application is contained in this
182	* structure. The idea is that this structure could be locked into memory so	186	* structure. The idea is that this structure could be locked into memory so
Lines 189-194 struct { Link Here
189	Key server_key; / ephemeral server key */	193	Key server_key; / ephemeral server key */
190	Key ssh1_host_key; / ssh1 host key */	194	Key ssh1_host_key; / ssh1 host key */
191	Key *host_keys; / all private host keys */	195	Key *host_keys; / all private host keys */
		196	Key *host_pubkeys; / all public host keys */
192	Key *host_certificates; / all public host certificates */	197	Key *host_certificates; / all public host certificates */
193	int have_ssh1_key;	198	int have_ssh1_key;
194	int have_ssh2_key;	199	int have_ssh2_key;
Lines 639-644 privsep_preauth(Authctxt *authctxt) Link Here
639	} else if (pid != 0) {	644	} else if (pid != 0) {
640	debug2("Network child is on pid %ld", (long)pid);	645	debug2("Network child is on pid %ld", (long)pid);
641		646
		647	auth_conn = ssh_get_authentication_connection();
		648
642	pmonitor->m_pid = pid;	649	pmonitor->m_pid = pid;
643	if (box != NULL)	650	if (box != NULL)
644	ssh_sandbox_parent_preauth(box, pid);	651	ssh_sandbox_parent_preauth(box, pid);
Lines 750-755 list_hostkey_types(void) Link Here
750	for (i = 0; i < options.num_host_key_files; i++) {	757	for (i = 0; i < options.num_host_key_files; i++) {
751	key = sensitive_data.host_keys[i];	758	key = sensitive_data.host_keys[i];
752	if (key == NULL)	759	if (key == NULL)
		760	key = sensitive_data.host_pubkeys[i];
		761	if (key == NULL)
753	continue;	762	continue;
754	switch (key->type) {	763	switch (key->type) {
755	case KEY_RSA:	764	case KEY_RSA:
Lines 802-807 get_hostkey_by_type(int type, int need_private) Link Here
802	break;	811	break;
803	default:	812	default:
804	key = sensitive_data.host_keys[i];	813	key = sensitive_data.host_keys[i];
		814	if (key == NULL && !need_private)
		815	key = sensitive_data.host_pubkeys[i];
805	break;	816	break;
806	}	817	}
807	if (key != NULL && key->type == type)	818	if (key != NULL && key->type == type)
Lines 831-836 get_hostkey_by_index(int ind) Link Here
831	return (sensitive_data.host_keys[ind]);	842	return (sensitive_data.host_keys[ind]);
832	}	843	}
833		844
		845	Key *
		846	get_hostkey_public_by_index(int ind)
		847	{
		848	if (ind < 0 \|\| ind >= options.num_host_key_files)
		849	return (NULL);
		850	return (sensitive_data.host_pubkeys[ind]);
		851	}
		852
834	int	853	int
835	get_hostkey_index(Key *key)	854	get_hostkey_index(Key *key)
836	{	855	{
Lines 843-848 get_hostkey_index(Key *key) Link Here
843	} else {	862	} else {
844	if (key == sensitive_data.host_keys[i])	863	if (key == sensitive_data.host_keys[i])
845	return (i);	864	return (i);
		865	if (key == sensitive_data.host_pubkeys[i])
		866	return (i);
846	}	867	}
847	}	868	}
848	return (-1);	869	return (-1);
Lines 1310-1315 main(int ac, char **av) Link Here
1310	u_int64_t ibytes, obytes;	1331	u_int64_t ibytes, obytes;
1311	mode_t new_umask;	1332	mode_t new_umask;
1312	Key *key;	1333	Key *key;
		1334	Key *pubkey;
		1335	int have_agent = 0, keytype;
1313	Authctxt *authctxt;	1336	Authctxt *authctxt;
1314	struct connection_info *connection_info = get_connection_info(0, 0);	1337	struct connection_info *connection_info = get_connection_info(0, 0);
1315		1338
Lines 1542-1563 main(int ac, char **av) Link Here
1542	debug("sshd version %s, %s", SSH_VERSION,	1565	debug("sshd version %s, %s", SSH_VERSION,
1543	SSLeay_version(SSLEAY_VERSION));	1566	SSLeay_version(SSLEAY_VERSION));
1544		1567
1545	/* load private host keys */	1568	/* load host keys */
1546	sensitive_data.host_keys = xcalloc(options.num_host_key_files,	1569	sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1547	sizeof(Key *));	1570	sizeof(Key *));
1548	for (i = 0; i < options.num_host_key_files; i++)	1571	sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
		1572	sizeof(Key *));
		1573	for (i = 0; i < options.num_host_key_files; i++) {
1549	sensitive_data.host_keys[i] = NULL;	1574	sensitive_data.host_keys[i] = NULL;
		1575	sensitive_data.host_pubkeys[i] = NULL;
		1576	}
		1577
		1578	if (options.host_key_agent) {
		1579	if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME))
		1580	setenv(SSH_AUTHSOCKET_ENV_NAME,
		1581	options.host_key_agent, 1);
		1582	have_agent = ssh_agent_present();
		1583	}
1550		1584
1551	for (i = 0; i < options.num_host_key_files; i++) {	1585	for (i = 0; i < options.num_host_key_files; i++) {
1552	key = key_load_private(options.host_key_files[i], "", NULL);	1586	key = key_load_private(options.host_key_files[i], "", NULL);
		1587	pubkey = key_load_public(options.host_key_files[i], NULL);
1553	sensitive_data.host_keys[i] = key;	1588	sensitive_data.host_keys[i] = key;
1554	if (key == NULL) {	1589	sensitive_data.host_pubkeys[i] = pubkey;
		1590
		1591	if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 &&
		1592	have_agent) {
		1593	debug("will rely on agent for hostkey %s",
		1594	options.host_key_files[i]);
		1595	keytype = pubkey->type;
		1596	} else if (key != NULL) {
		1597	keytype = key->type;
		1598	} else {
1555	error("Could not load host key: %s",	1599	error("Could not load host key: %s",
1556	options.host_key_files[i]);	1600	options.host_key_files[i]);
1557	sensitive_data.host_keys[i] = NULL;	1601	sensitive_data.host_keys[i] = NULL;
		1602	sensitive_data.host_pubkeys[i] = NULL;
1558	continue;	1603	continue;
1559	}	1604	}
1560	switch (key->type) {	1605
		1606	switch (keytype) {
1561	case KEY_RSA1:	1607	case KEY_RSA1:
1562	sensitive_data.ssh1_host_key = key;	1608	sensitive_data.ssh1_host_key = key;
1563	sensitive_data.have_ssh1_key = 1;	1609	sensitive_data.have_ssh1_key = 1;
Lines 1568-1575 main(int ac, char **av) Link Here
1568	sensitive_data.have_ssh2_key = 1;	1614	sensitive_data.have_ssh2_key = 1;
1569	break;	1615	break;
1570	}	1616	}
1571	debug("private host key: #%d type %d %s", i, key->type,	1617	debug("private host key: #%d type %d %s", i, keytype,
1572	key_type(key));	1618	key_type(key ? key : pubkey));
1573	}	1619	}
1574	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {	1620	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1575	logit("Disabling protocol version 1. Could not load host key");	1621	logit("Disabling protocol version 1. Could not load host key");
Lines 1906-1914 main(int ac, char **av) Link Here
1906	buffer_init(&loginmsg);	1952	buffer_init(&loginmsg);
1907	auth_debug_reset();	1953	auth_debug_reset();
1908		1954
1909	if (use_privsep)	1955	if (use_privsep) {
1910	if (privsep_preauth(authctxt) == 1)	1956	if (privsep_preauth(authctxt) == 1)
1911	goto authenticated;	1957	goto authenticated;
		1958	} else if (compat20)
		1959	auth_conn = ssh_get_authentication_connection();
1912		1960
1913	/* perform the key exchange */	1961	/* perform the key exchange */
1914	/* authenticate user and start session */	1962	/* authenticate user and start session */
Lines 2194-2199 do_ssh1_kex(void) Link Here
2194	packet_write_wait();	2242	packet_write_wait();
2195	}	2243	}
2196		2244
		2245	void
		2246	sshd_hostkey_sign(Key privkey, Key pubkey, u_char *signature, u_int slen,
		2247	u_char *data, u_int dlen)
		2248	{
		2249	if (privkey) {
		2250	if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0))
		2251	fatal("%s: key_sign failed", __func__);
		2252	} else if (use_privsep) {
		2253	if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0)
		2254	fatal("%s: pubkey_sign failed", __func__);
		2255	} else {
		2256	if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data,
		2257	dlen))
		2258	fatal("%s: ssh_agent_sign failed", __func__);
		2259	}
		2260	}
		2261
2197	/*	2262	/*
2198	* SSH2 key exchange: diffie-hellman-group1-sha1	2263	* SSH2 key exchange: diffie-hellman-group1-sha1
2199	*/	2264	*/
Lines 2244-2249 do_ssh2_kex(void) Link Here
2244	kex->load_host_public_key=&get_hostkey_public_by_type;	2309	kex->load_host_public_key=&get_hostkey_public_by_type;
2245	kex->load_host_private_key=&get_hostkey_private_by_type;	2310	kex->load_host_private_key=&get_hostkey_private_by_type;
2246	kex->host_key_index=&get_hostkey_index;	2311	kex->host_key_index=&get_hostkey_index;
		2312	kex->sign = sshd_hostkey_sign;
2247		2313
2248	xxx_kex = kex;	2314	xxx_kex = kex;
2249		2315




or
.Dq rsa
are used for version 2 of the SSH protocol.
It is also possible to specify public host key files instead.
In this case operations on the private key will be delegated
to an
.Xr ssh-agent 1 .
.It Cm HostKeyAgent
Identifies the UNIX-domain socket used to communicate
with an agent that has access to the private host keys.
If
.Dq SSH_AUTH_SOCK
is specified, the location of the socket will be read from the
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts

Return to bug 1974

Lines 174-183 check_key_in_hostfiles(struct passwd , Key , const char *, Link Here

(-)auth.h (+2 lines)
174		174
175	/* hostkey handling */	175	/* hostkey handling */
176	Key *get_hostkey_by_index(int);	176	Key *get_hostkey_by_index(int);
		177	Key *get_hostkey_public_by_index(int);
177	Key *get_hostkey_public_by_type(int);	178	Key *get_hostkey_public_by_type(int);
178	Key *get_hostkey_private_by_type(int);	179	Key *get_hostkey_private_by_type(int);
179	int get_hostkey_index(Key *);	180	int get_hostkey_index(Key *);
180	int ssh1_session_key(BIGNUM *);	181	int ssh1_session_key(BIGNUM *);
		182	void sshd_hostkey_sign(Key , Key , u_char *, u_int , u_char *, u_int);
181		183
182	/* debug messages during authentication */	184	/* debug messages during authentication */
183	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));	185	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

Lines 77-85 kexdh_server(Kex *kex) Link Here

(-)kexdhs.c (-6 / +2 lines)
77	if (server_host_public == NULL)	77	if (server_host_public == NULL)
78	fatal("Unsupported hostkey type %d", kex->hostkey_type);	78	fatal("Unsupported hostkey type %d", kex->hostkey_type);
79	server_host_private = kex->load_host_private_key(kex->hostkey_type);	79	server_host_private = kex->load_host_private_key(kex->hostkey_type);
80	if (server_host_private == NULL)
81	fatal("Missing private key for hostkey type %d",
82	kex->hostkey_type);
83		80
84	/* key, cert */	81	/* key, cert */
85	if ((dh_client_pub = BN_new()) == NULL)	82	if ((dh_client_pub = BN_new()) == NULL)
Lines 141-149 kexdh_server(Kex *kex) Link Here
141	}	138	}
142		139
143	/* sign H */	140	/* sign H */
144	if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash,	141	kex->sign(server_host_private, server_host_public, &signature, &slen,
145	hashlen)) < 0)	142	hash, hashlen);
146	fatal("kexdh_server: key_sign failed");
147		143
148	/* destroy_sensitive_data(); */	144	/* destroy_sensitive_data(); */
149		145

Lines 74-82 kexecdh_server(Kex *kex) Link Here

(-)kexecdhs.c (-6 / +2 lines)
74	if (server_host_public == NULL)	74	if (server_host_public == NULL)
75	fatal("Unsupported hostkey type %d", kex->hostkey_type);	75	fatal("Unsupported hostkey type %d", kex->hostkey_type);
76	server_host_private = kex->load_host_private_key(kex->hostkey_type);	76	server_host_private = kex->load_host_private_key(kex->hostkey_type);
77	if (server_host_private == NULL)
78	fatal("Missing private key for hostkey type %d",
79	kex->hostkey_type);
80		77
81	debug("expecting SSH2_MSG_KEX_ECDH_INIT");	78	debug("expecting SSH2_MSG_KEX_ECDH_INIT");
82	packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);	79	packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
Lines 135-143 kexecdh_server(Kex *kex) Link Here
135	}	132	}
136		133
137	/* sign H */	134	/* sign H */
138	if (PRIVSEP(key_sign(server_host_private, &signature, &slen,	135	kex->sign(server_host_private, server_host_public, &signature, &slen,
139	hash, hashlen)) < 0)	136	hash, hashlen);
140	fatal("kexdh_server: key_sign failed");
141		137
142	/* destroy_sensitive_data(); */	138	/* destroy_sensitive_data(); */
143		139

Lines 65-74 kexgex_server(Kex *kex) Link Here

(-)kexgexs.c (-7 / +2 lines)
65	if (server_host_public == NULL)	65	if (server_host_public == NULL)
66	fatal("Unsupported hostkey type %d", kex->hostkey_type);	66	fatal("Unsupported hostkey type %d", kex->hostkey_type);
67	server_host_private = kex->load_host_private_key(kex->hostkey_type);	67	server_host_private = kex->load_host_private_key(kex->hostkey_type);
68	if (server_host_private == NULL)
69	fatal("Missing private key for hostkey type %d",
70	kex->hostkey_type);
71
72		68
73	type = packet_read();	69	type = packet_read();
74	switch (type) {	70	switch (type) {
Lines 184-192 kexgex_server(Kex *kex) Link Here
184	}	180	}
185		181
186	/* sign H */	182	/* sign H */
187	if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash,	183	kex->sign(server_host_private, server_host_public, &signature, &slen,
188	hashlen)) < 0)	184	hash, hashlen);
189	fatal("kexgex_server: key_sign failed");
190		185
191	/* destroy_sensitive_data(); */	186	/* destroy_sensitive_data(); */
192		187

Lines 70-75 initialize_server_options(ServerOptions *options) Link Here

(-)servconf.c (-1 / +8 lines)
70	options->address_family = -1;	70	options->address_family = -1;
71	options->num_host_key_files = 0;	71	options->num_host_key_files = 0;
72	options->num_host_cert_files = 0;	72	options->num_host_cert_files = 0;
		73	options->host_key_agent = NULL;
73	options->pid_file = NULL;	74	options->pid_file = NULL;
74	options->server_key_bits = -1;	75	options->server_key_bits = -1;
75	options->login_grace_time = -1;	76	options->login_grace_time = -1;
Lines 315-321 typedef enum { Link Here
315	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	316	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
316	sKexAlgorithms, sIPQoS, sVersionAddendum,	317	sKexAlgorithms, sIPQoS, sVersionAddendum,
317	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	318	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
318	sAuthenticationMethods,	319	sAuthenticationMethods, sHostKeyAgent,
319	sDeprecated, sUnsupported	320	sDeprecated, sUnsupported
320	} ServerOpCodes;	321	} ServerOpCodes;
321		322
Lines 332-337 static struct { Link Here
332	{ "port", sPort, SSHCFG_GLOBAL },	333	{ "port", sPort, SSHCFG_GLOBAL },
333	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },	334	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
334	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */	335	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
		336	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
335	{ "pidfile", sPidFile, SSHCFG_GLOBAL },	337	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
336	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },	338	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
337	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },	339	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
Lines 931-936 process_server_config_line(ServerOptions options, char line, Link Here
931	}	933	}
932	break;	934	break;
933		935
		936	case sHostKeyAgent:
		937	charptr = &options->host_key_agent;
		938	goto parse_filename;
		939
934	case sHostCertificate:	940	case sHostCertificate:
935	intptr = &options->num_host_cert_files;	941	intptr = &options->num_host_cert_files;
936	if (*intptr >= MAX_HOSTKEYS)	942	if (*intptr >= MAX_HOSTKEYS)
Lines 1959-1964 dump_config(ServerOptions *o) Link Here
1959	dump_cfg_string(sVersionAddendum, o->version_addendum);	1965	dump_cfg_string(sVersionAddendum, o->version_addendum);
1960	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);	1966	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
1961	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);	1967	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
		1968	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
1962		1969
1963	/* string arguments requiring a lookup */	1970	/* string arguments requiring a lookup */
1964	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1971	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 547-552 keys are used for version 1 and Link Here

(-)sshd_config.5 (+12 lines)
547	or	547	or
548	.Dq rsa	548	.Dq rsa
549	are used for version 2 of the SSH protocol.	549	are used for version 2 of the SSH protocol.
		550	It is also possible to specify public host key files instead.
		551	In this case operations on the private key will be delegated
		552	to an
		553	.Xr ssh-agent 1 .
		554	.It Cm HostKeyAgent
		555	Identifies the UNIX-domain socket used to communicate
		556	with an agent that has access to the private host keys.
		557	If
		558	.Dq SSH_AUTH_SOCK
		559	is specified, the location of the socket will be read from the
		560	.Ev SSH_AUTH_SOCK
		561	environment variable.
550	.It Cm IgnoreRhosts	562	.It Cm IgnoreRhosts
551	Specifies that	563	Specifies that
552	.Pa .rhosts	564	.Pa .rhosts