Bugzilla – Attachment 3198 Details for
Bug 2924
Order a limited host keys list in client based on the known hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
possibility to order host keys in client
openssh-order-hostkeys.patch (text/plain), 5.86 KB, created by
Jakub Jelen
on 2018-11-01 23:55:03 AEDT
(
hide
)
Description:
possibility to order host keys in client
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2018-11-01 23:55:03 AEDT
Size:
5.86 KB
patch
obsolete
>From a0a11b4ff5ad54a3f73c12c7659ae02f1ff3252c Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Thu, 1 Nov 2018 13:42:18 +0100 >Subject: [PATCH] Allow ordering of the selected host key algorithms in client > >Signed-off-by: Jakub Jelen <jjelen@redhat.com> >--- > readconf.c | 12 +++++++++++- > readconf.h | 1 + > ssh_config.5 | 6 ++++++ > sshconnect2.c | 14 ++++++++++---- > 4 files changed, 28 insertions(+), 5 deletions(-) > >diff --git a/readconf.c b/readconf.c >index f5f70dd9..cf82c0d1 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -158,7 +158,8 @@ typedef enum { > oPubkeyAuthentication, > oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, > oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, >- oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider, >+ oHostKeyAlgorithms, oHostKeyAlgorithmsOrder, oBindAddress, >+ oBindInterface, oPKCS11Provider, > oClearAllForwardings, oNoHostAuthenticationForLocalhost, > oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, > oAddressFamily, oGssAuthentication, oGssDelegateCreds, >@@ -280,6 +281,7 @@ static struct { > { "dynamicforward", oDynamicForward }, > { "preferredauthentications", oPreferredAuthentications }, > { "hostkeyalgorithms", oHostKeyAlgorithms }, >+ { "hostkeyalgorithmsorder", oHostKeyAlgorithmsOrder }, > { "casignaturealgorithms", oCASignatureAlgorithms }, > { "bindaddress", oBindAddress }, > { "bindinterface", oBindInterface }, >@@ -1262,6 +1264,10 @@ parse_int: > options->kex_algorithms = xstrdup(arg); > break; > >+ case oHostKeyAlgorithmsOrder: >+ intptr = &options->hostkeyalgorithms_order; >+ goto parse_flag; >+ > case oHostKeyAlgorithms: > charptr = &options->hostkeyalgorithms; > parse_keytypes: >@@ -1913,6 +1919,7 @@ initialize_options(Options * options) > options->macs = NULL; > options->kex_algorithms = NULL; > options->hostkeyalgorithms = NULL; >+ options->hostkeyalgorithms_order = -1; > options->ca_sign_algorithms = NULL; > options->num_identity_files = 0; > options->num_certificate_files = 0; >@@ -2077,6 +2084,8 @@ fill_default_options(Options * options) > if (options->number_of_password_prompts == -1) > options->number_of_password_prompts = 3; > /* options->hostkeyalgorithms, default set in myproposals.h */ >+ if (options->hostkeyalgorithms_order == -1) >+ options->hostkeyalgorithms_order = 0; > if (options->add_keys_to_agent == -1) > options->add_keys_to_agent = 0; > if (options->num_identity_files == 0) { >@@ -2669,6 +2678,7 @@ dump_client_config(Options *o, const char *host) > #endif /* GSSAPI */ > dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); > dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); >+ dump_cfg_fmtint(oHostKeyAlgorithmsOrder, o->hostkeyalgorithms_order); > dump_cfg_fmtint(oIdentitiesOnly, o->identities_only); > dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication); > dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost); >diff --git a/readconf.h b/readconf.h >index de9272f0..ba26e3c4 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -72,6 +72,7 @@ typedef struct { > char *ciphers; /* SSH2 ciphers in order of preference. */ > char *macs; /* SSH2 macs in order of preference. */ > char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ >+ int hostkeyalgorithms_order; /* Order the specified host key algorithms */ > char *kex_algorithms; /* SSH2 kex methods in order of preference. */ > char *ca_sign_algorithms; /* Allowed CA signature algorithms */ > char *hostname; /* Real host to connect. */ >diff --git a/ssh_config.5 b/ssh_config.5 >index 417b7675..24730c1c 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -867,6 +867,12 @@ to prefer their algorithms. > .Pp > The list of available key types may also be obtained using > .Qq ssh -Q key . >+.It Cm HostKeyAlgorithmsOrder >+If hostkeys specified by >+.Cm HostKeyAlgorithmsOrder >+are not ordered, this allows ordering them based on the known hosts available. >+Default is >+.Cm no . > .It Cm HostKeyAlias > Specifies an alias that should be used instead of the > real host name when looking up or saving the host key >diff --git a/sshconnect2.c b/sshconnect2.c >index b09a1922..ff34c193 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -101,9 +101,9 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) > } > > static char * >-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) >+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *avail) > { >- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; >+ char *oavail, *first, *last, *alg, *hostname, *ret; > size_t maxlen; > struct hostkeys *hostkeys; > int ktype; >@@ -117,7 +117,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > for (i = 0; i < options.num_system_hostfiles; i++) > load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); > >- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); >+ oavail = avail = xstrdup(avail); > maxlen = strlen(avail) + 1; > first = xmalloc(maxlen); > last = xmalloc(maxlen); >@@ -209,6 +209,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) > KEX_DEFAULT_PK_ALG, all_key) != 0) > fatal("%s: kex_assemble_namelist", __func__); > free(all_key); >+ if (options.hostkeyalgorithms_order) { >+ char *tmp = options.hostkeyalgorithms; >+ options.hostkeyalgorithms = order_hostkeyalgs(host, >+ hostaddr, port, options.hostkeyalgorithms); >+ free(tmp); >+ } > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = > compat_pkalg_proposal(options.hostkeyalgorithms); > } else { >@@ -217,7 +223,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) > /* Prefer algorithms that we already have keys for */ > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = > compat_pkalg_proposal( >- order_hostkeyalgs(host, hostaddr, port)); >+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); > } > > #ifdef GSSAPI >-- >2.17.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3198">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2924
:
3198
|
3313