Bugzilla – Attachment 3313 Details for
Bug 2924
Order a limited host keys list in client based on the known hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Introduce a new modifier for HostKeyAlgorithms to allow ordering
file_2924.txt (text/plain), 4.01 KB, created by
Jakub Jelen
on 2019-08-29 19:45:03 AEST
(
hide
)
Description:
Introduce a new modifier for HostKeyAlgorithms to allow ordering
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2019-08-29 19:45:03 AEST
Size:
4.01 KB
patch
obsolete
>From 6202720180305e4358ebdbb160bc572953fe435b Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Thu, 1 Nov 2018 13:42:18 +0100 >Subject: [PATCH] Allow ordering of the selected host key algorithms in client > >Signed-off-by: Jakub Jelen <jjelen@redhat.com> >--- > kex.c | 6 +++++- > readconf.c | 6 +++++- > ssh_config.5 | 3 +++ > sshconnect2.c | 14 ++++++++++---- > 4 files changed, 23 insertions(+), 6 deletions(-) > >diff --git a/kex.c b/kex.c >index 1fbce2bb..4f65f478 100644 >--- a/kex.c >+++ b/kex.c >@@ -237,7 +237,11 @@ kex_assemble_names(char **listp, const char *def, const char *all) > > list = *listp; > *listp = NULL; >- if (*list == '+') { >+ if (*list == ':') { >+ /* Used in HostKeyAlgorithms to denote the list is supposed to be ordered later */ >+ /* Noop here */ >+ return 0; >+ } else if (*list == '+') { > /* Append names to default list */ > if ((tmp = kex_names_cat(def, list + 1)) == NULL) { > r = SSH_ERR_ALLOC_FAIL; >diff --git a/readconf.c b/readconf.c >index 9446f54b..3fea5840 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -1237,8 +1237,12 @@ parse_keytypes: > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", > filename, linenum); >+ if (opcode == oHostKeyAlgorithms) >+ arg2 = "+-:"; >+ else >+ arg2 = "+-"; > if (*arg != '-' && >- !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) >+ !sshkey_names_valid2(strchr(arg2, *arg) ? arg + 1 : arg, 1)) > fatal("%s line %d: Bad key types '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && *charptr == NULL) >diff --git a/ssh_config.5 b/ssh_config.5 >index 53cb5abf..b1205a90 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -822,6 +822,9 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. >+If the specified value begins with a >+.Sq \&: >+character, then ssh will order the given list based on already known hosts. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com, >diff --git a/sshconnect2.c b/sshconnect2.c >index 500eed2e..a9f202e0 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -101,9 +101,9 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) > } > > static char * >-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) >+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *avail) > { >- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; >+ char *oavail, *first, *last, *alg, *hostname, *ret; > size_t maxlen; > struct hostkeys *hostkeys; > int ktype; >@@ -117,7 +117,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) > for (i = 0; i < options.num_system_hostfiles; i++) > load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); > >- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); >+ oavail = avail = xstrdup(avail); > maxlen = strlen(avail) + 1; > first = xmalloc(maxlen); > last = xmalloc(maxlen); >@@ -182,6 +182,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) > KEX_DEFAULT_PK_ALG, all_key) != 0) > fatal("%s: kex_assemble_namelist", __func__); > free(all_key); >+ if (*options.hostkeyalgorithms == ':') { >+ char *tmp = options.hostkeyalgorithms; >+ options.hostkeyalgorithms = order_hostkeyalgs(host, >+ hostaddr, port, options.hostkeyalgorithms + 1); >+ free(tmp); >+ } > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = > compat_pkalg_proposal(options.hostkeyalgorithms); > } else { >@@ -190,7 +196,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) > /* Prefer algorithms that we already have keys for */ > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = > compat_pkalg_proposal( >- order_hostkeyalgs(host, hostaddr, port)); >+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); > } > > if (options.rekey_limit || options.rekey_interval) >-- >2.21.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3313">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2924
:
3198
| 3313