You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
119 lines
4.5 KiB
119 lines
4.5 KiB
diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
|
|
--- openssh-9.3p1/regress/hostkey-agent.sh.xxx 2023-05-29 18:15:56.311236887 +0200
|
|
+++ openssh-9.3p1/regress/hostkey-agent.sh 2023-05-29 18:16:07.598503551 +0200
|
|
@@ -17,8 +17,21 @@ trace "make CA key"
|
|
|
|
${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
|
|
|
|
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
|
|
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
|
|
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
|
+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
|
|
+r=$?
|
|
+if [ $r == 0 ]; then
|
|
+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
|
|
+r=$?
|
|
+if [ $r -ne 0 ]; then
|
|
+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
|
|
+fi
|
|
+fi
|
|
+
|
|
trace "load hostkeys"
|
|
-for k in $SSH_KEYTYPES ; do
|
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
|
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
|
${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
|
|
-I localhost-with-alias $OBJ/agent-key.$k.pub || \
|
|
@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
|
|
|
|
unset SSH_AUTH_SOCK
|
|
|
|
-for k in $SSH_KEYTYPES ; do
|
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
|
verbose "key type $k"
|
|
+ hka=$k
|
|
+ if [ $k = "ssh-rsa" ]; then
|
|
+ hka="rsa-sha2-512"
|
|
+ fi
|
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
|
- echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
|
|
+ echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
|
|
echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
|
|
- opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
|
+ opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
|
|
( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
|
|
cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
|
|
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
|
@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
|
|
done
|
|
|
|
SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
|
|
+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
|
|
|
# Prepare sshd_proxy for certificates.
|
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
|
HOSTKEYALGS=""
|
|
-for k in $SSH_CERTTYPES ; do
|
|
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
|
test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
|
|
HOSTKEYALGS="${HOSTKEYALGS}${k}"
|
|
done
|
|
-for k in $SSH_KEYTYPES ; do
|
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
|
echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
|
|
echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
|
|
test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
|
|
@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
|
|
( printf '@cert-authority localhost-with-alias ' ;
|
|
cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
|
|
|
|
-for k in $SSH_CERTTYPES ; do
|
|
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
|
verbose "cert type $k"
|
|
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
|
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
|
diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
|
|
--- openssh-9.3p1/sshconnect2.c.xxx 2023-04-26 17:37:35.100827792 +0200
|
|
+++ openssh-9.3p1/sshconnect2.c 2023-04-26 17:50:31.860748877 +0200
|
|
@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
const struct ssh_conn_info *cinfo)
|
|
{
|
|
char *myproposal[PROPOSAL_MAX];
|
|
- char *all_key, *hkalgs = NULL;
|
|
+ char *all_key, *hkalgs = NULL, *filtered_algs = NULL;
|
|
int r, use_known_hosts_order = 0;
|
|
|
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
|
@@ -260,10 +260,22 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
if (use_known_hosts_order)
|
|
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
|
|
|
|
+ filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
|
|
+ : match_filter_allowlist(options.hostkeyalgorithms,
|
|
+ options.pubkey_accepted_algos);
|
|
+ if (filtered_algs == NULL) {
|
|
+ if (hkalgs)
|
|
+ fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
|
|
+ hkalgs, host, options.pubkey_accepted_algos);
|
|
+ else
|
|
+ fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
|
|
+ options.hostkeyalgorithms, options.pubkey_accepted_algos);
|
|
+ }
|
|
+
|
|
kex_proposal_populate_entries(ssh, myproposal,
|
|
options.kex_algorithms, options.ciphers, options.macs,
|
|
compression_alg_list(options.compression),
|
|
- hkalgs ? hkalgs : options.hostkeyalgorithms);
|
|
+ filtered_algs);
|
|
|
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
|
if (options.gss_keyex) {
|
|
@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
#endif
|
|
|
|
free(hkalgs);
|
|
+ free(filtered_algs);
|
|
|
|
/* start key exchange */
|
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|