Bugzilla – Attachment 3202 Details for
Bug 2746
RFE: Allow to disable SHA1 signatures for RSA
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
allow to disable sha1 also in the server configuration
openssh-disable-sha1.patch (text/plain), 4.54 KB, created by
Jakub Jelen
on 2018-11-13 01:31:07 AEDT
(
hide
)
Description:
allow to disable sha1 also in the server configuration
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2018-11-13 01:31:07 AEDT
Size:
4.54 KB
patch
obsolete
>From 296e70942879ae659319de79e1e4623514874140 Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Mon, 12 Nov 2018 15:29:21 +0100 >Subject: [PATCH] Allow to disable SHA1 also in the server > >--- > monitor.c | 14 ++++++++++---- > sshconnect2.c | 33 ++------------------------------- > sshkey.c | 29 +++++++++++++++++++++++++++++ > sshkey.h | 2 ++ > 4 files changed, 43 insertions(+), 35 deletions(-) > >diff --git a/monitor.c b/monitor.c >index 7b1903af..ed3bd64b 100644 >--- a/monitor.c >+++ b/monitor.c >@@ -1168,9 +1168,12 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) > break; > if (auth2_key_already_used(authctxt, key)) > break; >- if (match_pattern_list(sshkey_ssh_name(key), >- options.pubkey_key_types, 0) != 1) >+ if (sshkey_type_allowed_by_config(key, >+ options.pubkey_key_types) != 1) { >+ debug("Key type %s not in PubkeyAcceptedKeyTypes", >+ sshkey_ssh_name(key)); > break; >+ } > allowed = user_key_allowed(ssh, authctxt->pw, key, > pubkey_auth_attempt, &opts); > break; >@@ -1180,9 +1183,12 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) > break; > if (auth2_key_already_used(authctxt, key)) > break; >- if (match_pattern_list(sshkey_ssh_name(key), >- options.hostbased_key_types, 0) != 1) >+ if (sshkey_type_allowed_by_config(key, >+ options.hostbased_key_types) != 1) { >+ debug("Key type %s not in PubkeyAcceptedKeyTypes", >+ sshkey_ssh_name(key)); > break; >+ } > allowed = hostbased_key_allowed(authctxt->pw, > cuser, chost, key); > auth2_record_info(authctxt, >diff --git a/sshconnect2.c b/sshconnect2.c >index ff34c193..e13e59d7 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -1572,36 +1572,6 @@ load_identity_file(Identity *id) > return private; > } > >-static int >-key_type_allowed_by_config(struct sshkey *key) >-{ >- if (match_pattern_list(sshkey_ssh_name(key), >- options.pubkey_key_types, 0) == 1) >- return 1; >- >- /* RSA keys/certs might be allowed by alternate signature types */ >- switch (key->type) { >- case KEY_RSA: >- if (match_pattern_list("rsa-sha2-512", >- options.pubkey_key_types, 0) == 1) >- return 1; >- if (match_pattern_list("rsa-sha2-256", >- options.pubkey_key_types, 0) == 1) >- return 1; >- break; >- case KEY_RSA_CERT: >- if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", >- options.pubkey_key_types, 0) == 1) >- return 1; >- if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", >- options.pubkey_key_types, 0) == 1) >- return 1; >- break; >- } >- return 0; >-} >- >- > /* > * try keys in the following order: > * 1. certificates listed in the config file >@@ -1726,7 +1696,8 @@ pubkey_prepare(Authctxt *authctxt) > } > /* finally, filter by PubkeyAcceptedKeyTypes */ > TAILQ_FOREACH_SAFE(id, preferred, next, id2) { >- if (id->key != NULL && !key_type_allowed_by_config(id->key)) { >+ if (id->key != NULL && !sshkey_type_allowed_by_config(id->key, >+ options.pubkey_key_types)) { > debug("Skipping %s key %s - " > "not in PubkeyAcceptedKeyTypes", > sshkey_ssh_name(id->key), id->filename); >diff --git a/sshkey.c b/sshkey.c >index e7640d17..ab8e1c1d 100644 >--- a/sshkey.c >+++ b/sshkey.c >@@ -4078,6 +4078,35 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, > passphrase, keyp, commentp); > } > >+int >+sshkey_type_allowed_by_config(const struct sshkey *key, const char *pubkey_types) >+{ >+ if (match_pattern_list(sshkey_ssh_name(key), >+ pubkey_types, 0) == 1) >+ return 1; >+ >+ /* RSA keys/certs might be allowed by alternate signature types */ >+ switch (key->type) { >+ case KEY_RSA: >+ if (match_pattern_list("rsa-sha2-512", >+ pubkey_types, 0) == 1) >+ return 1; >+ if (match_pattern_list("rsa-sha2-256", >+ pubkey_types, 0) == 1) >+ return 1; >+ break; >+ case KEY_RSA_CERT: >+ if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", >+ pubkey_types, 0) == 1) >+ return 1; >+ if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", >+ pubkey_types, 0) == 1) >+ return 1; >+ break; >+ } >+ return 0; >+} >+ > #ifdef WITH_XMSS > /* > * serialize the key with the current state and forward the state >diff --git a/sshkey.h b/sshkey.h >index f54deb0c..a68579c2 100644 >--- a/sshkey.h >+++ b/sshkey.h >@@ -261,6 +261,8 @@ int ssh_xmss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, > int ssh_xmss_verify(const struct sshkey *key, > const u_char *signature, size_t signaturelen, > const u_char *data, size_t datalen, u_int compat); >+int key_type_allowed_by_config(const struct sshkey *key, >+ const char *pubkey_types); > #endif > > #if !defined(WITH_OPENSSL) >-- >2.19.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3202">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2746
: 3202 |
3203