Bugzilla – Attachment 2529 Details for
Bug 2211
Too many hostbased authentication attempts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add HostbasedKeyTypes to ssh(1)
limit-hostbased.diff (text/plain), 4.32 KB, created by
Iain Morgan
on 2015-01-21 10:00:09 AEDT
(
hide
)
Description:
Add HostbasedKeyTypes to ssh(1)
Filename:
MIME Type:
Creator:
Iain Morgan
Created:
2015-01-21 10:00:09 AEDT
Size:
4.32 KB
patch
obsolete
>diff --git a/readconf.c b/readconf.c >index d7f1cf0..b4237ef 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -156,7 +156,7 @@ typedef enum { > oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, > oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, > oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, >- oFingerprintHash, >+ oFingerprintHash, oHostbasedKeyTypes, > oIgnoredUnknownOption, oDeprecated, oUnsupported > } OpCodes; > >@@ -273,6 +273,7 @@ static struct { > { "streamlocalbindunlink", oStreamLocalBindUnlink }, > { "revokedhostkeys", oRevokedHostKeys }, > { "fingerprinthash", oFingerprintHash }, >+ { "hostbasedkeytypes", oHostbasedKeyTypes }, > { "ignoreunknown", oIgnoreUnknown }, > > { NULL, oBadOption } >@@ -1476,6 +1477,21 @@ parse_int: > *intptr = value; > break; > >+ case oHostbasedKeyTypes: >+ charptr = &options->hostbased_key_types; >+ >+parse_keytypes: >+ arg = strdelim(&s); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (!sshkey_names_valid2(arg, 1)) >+ fatal("%s line %d: Bad key types '%s'.", >+ filename, linenum, arg ? arg : "<NONE>"); >+ if (*activep && *charptr == NULL) >+ *charptr = xstrdup(arg); >+ break; >+ > case oDeprecated: > debug("%s line %d: Deprecated option \"%s\"", > filename, linenum, keyword); >@@ -1654,6 +1670,7 @@ initialize_options(Options * options) > options->canonicalize_hostname = -1; > options->revoked_host_keys = NULL; > options->fingerprint_hash = -1; >+ options->hostbased_key_types = NULL; > } > > /* >@@ -1833,6 +1850,8 @@ fill_default_options(Options * options) > options->canonicalize_hostname = SSH_CANONICALISE_NO; > if (options->fingerprint_hash == -1) > options->fingerprint_hash = SSH_FP_HASH_DEFAULT; >+ if (options->hostbased_key_types == NULL) >+ options->hostbased_key_types = xstrdup("*"); > > #define CLEAR_ON_NONE(v) \ > do { \ >@@ -2270,6 +2289,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_string(oBindAddress, o->bind_address); > dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); > dump_cfg_string(oControlPath, o->control_path); >+ dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types); > dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); > dump_cfg_string(oHostKeyAlias, o->host_key_alias); > dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); >diff --git a/readconf.h b/readconf.h >index 11a7332..b72259c 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -148,6 +148,8 @@ typedef struct { > > int fingerprint_hash; > >+ char *hostbased_key_types; >+ > char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ > } Options; > >diff --git a/ssh.1 b/ssh.1 >index efbc58e..7adebaa 100644 >--- a/ssh.1 >+++ b/ssh.1 >@@ -445,6 +445,7 @@ For full details of the options listed below, and their possible values, see > .It HashKnownHosts > .It Host > .It HostbasedAuthentication >+.It HostbasedKeyTypes > .It HostKeyAlgorithms > .It HostKeyAlias > .It HostName >diff --git a/ssh.c b/ssh.c >index 36416fa..b29283d 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -1200,6 +1200,21 @@ main(int ac, char **av) > sensitive_data.external_keysign = 1; > } > } >+ >+ Key *hostkey; >+ for (i = 1; i < sensitive_data.nkeys; i++) { >+ hostkey = sensitive_data.keys[i]; >+ if (hostkey && hostkey->type && >+ match_pattern_list(sshkey_ssh_name(hostkey), >+ options.hostbased_key_types, >+ strlen(options.hostbased_key_types), 0) != 1) { >+ debug2("key type %s not in HostbasedKeyTypes", >+ sshkey_type(hostkey)); >+ sshkey_free(hostkey); >+ sensitive_data.keys[i] = NULL; >+ } >+ } >+ > /* > * Get rid of any extra privileges that we may have. We will no > * longer need them. Also, extra privileges could make it very hard >diff --git a/ssh_config.5 b/ssh_config.5 >index 361c322..bccca33 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -777,6 +777,17 @@ The default is > This option applies to protocol version 2 only and > is similar to > .Cm RhostsRSAAuthentication . >+.It Cm HostbasedKeyTypes >+Specifies the key types that will be used for hostbased authentication >+as a comma-separated pattern list. >+The default >+.Dq * >+will allow all key types. >+The >+.Fl Q >+option of >+.Xr ssh 1 >+may be used to list supported key types. > .It Cm HostKeyAlgorithms > Specifies the protocol version 2 host key algorithms > that the client wants to use in order of preference.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2529">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2211
:
2529
|
2532
|
2539