HostKeyAlgorithms option on server is broken when using + sign

This commit is contained in:
Jakub Jelen 2015-08-22 17:31:14 +02:00
parent ebdae84225
commit c98f559725
3 changed files with 51 additions and 1 deletions

View File

@ -382,7 +382,7 @@ diff -up openssh-7.0p1/servconf.c.fips openssh-7.0p1/servconf.c
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS + kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_SERVER_KEX), &options->kex_algorithms) != 0 || + : KEX_SERVER_KEX), &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 || &options->hostkeyalgorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG, kex_assemble_names(KEX_DEFAULT_PK_ALG,
@@ -2355,8 +2358,10 @@ dump_config(ServerOptions *o) @@ -2355,8 +2358,10 @@ dump_config(ServerOptions *o)
/* string arguments */ /* string arguments */

View File

@ -0,0 +1,46 @@
diff --git a/readconf.c b/readconf.c
index 374e741..23d74fb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
int i;
char vbuf[5];
+ /* This is normally prepared in ssh_kex2 */
+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
+
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
dump_cfg_string(oHostName, host);
@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oBindAddress, o->bind_address);
dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
dump_cfg_string(oControlPath, o->control_path);
- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
diff --git a/servconf.c b/servconf.c
index 04404a4..08c8139 100644
--- a/servconf.c
+++ b/servconf.c
@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
options->hostbased_authentication = 0;
if (options->hostbased_uses_name_from_packet_only == -1)
options->hostbased_uses_name_from_packet_only = 0;
- if (options->hostkeyalgorithms == NULL)
- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &options->hostkeyalgorithms) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->pubkey_key_types) != 0)

View File

@ -229,6 +229,9 @@ Patch931: openssh-6.9p1-scp-progressmeter.patch
Patch932: openssh-7.0p1-gssKexAlgorithms.patch Patch932: openssh-7.0p1-gssKexAlgorithms.patch
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439) # Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
Patch933: openssh-7.0p1-show-more-fingerprints.patch Patch933: openssh-7.0p1-show-more-fingerprints.patch
# Brokend HostKeyAlgorthms on server using + sign
# from http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034324.html
Patch934: openssh-7.1p1-hostkeyalgorithms.patch
License: BSD License: BSD
@ -466,6 +469,7 @@ popd
%patch931 -p1 -b .progressmeter %patch931 -p1 -b .progressmeter
%patch932 -p1 -b .gsskexalg %patch932 -p1 -b .gsskexalg
%patch933 -p1 -b .fingerprint %patch933 -p1 -b .fingerprint
%patch934 -p1 -b .hostkey
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch700 -p1 -b .fips %patch700 -p1 -b .fips