Re: [PATCH] Place algorithm at head of default list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



no objection, but this and your scp change will have to wait until after
release (both openssh-8.0 and OpenBSD-6.5)

On Sun, 31 Mar 2019, Christian Weisgerber wrote:

> ssh_config(5) and sshd_config(5) already allow adding '+' and
> removing '-' an algorithm from the default list.  Oddly, I mostly
> find myself wanting to prefer an algorithm, i.e., place it at the
> head of the list without removing anything.  The patch below adds
> this ability.  To prefer algorithms, prefix them with '^'.  E.g.:
> 
>   HostKeyAlgorithms ^ssh-ed25519
>   Ciphers ^aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> 
> 
> Index: kex.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/kex.c,v
> retrieving revision 1.150
> diff -u -p -r1.150 kex.c
> --- kex.c	21 Jan 2019 12:08:13 -0000	1.150
> +++ kex.c	31 Mar 2019 09:21:04 -0000
> @@ -202,8 +202,9 @@ kex_names_cat(const char *a, const char 
>  /*
>   * Assemble a list of algorithms from a default list and a string from a
>   * configuration file. The user-provided string may begin with '+' to
> - * indicate that it should be appended to the default or '-' that the
> - * specified names should be removed.
> + * indicate that it should be appended to the default, '-' that the
> + * specified names should be removed, or '^' that they should be placed
> + * at the head.
>   */
>  int
>  kex_assemble_names(char **listp, const char *def, const char *all)
> @@ -237,6 +238,14 @@ kex_assemble_names(char **listp, const c
>  		free(list);
>  		/* filtering has already been done */
>  		return 0;
> +	} else if (*list == '^') {
> +		/* Place names at head of default list */
> +		if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
> +			r = SSH_ERR_ALLOC_FAIL;
> +			goto fail;
> +		}
> +		free(list);
> +		list = tmp;
>  	} else {
>  		/* Explicit list, overrides default - just use "list" as is */
>  	}
> Index: readconf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/readconf.c,v
> retrieving revision 1.304
> diff -u -p -r1.304 readconf.c
> --- readconf.c	1 Mar 2019 02:08:50 -0000	1.304
> +++ readconf.c	31 Mar 2019 08:59:57 -0000
> @@ -1179,7 +1179,8 @@ parse_int:
>  		arg = strdelim(&s);
>  		if (!arg || *arg == '\0')
>  			fatal("%.200s line %d: Missing argument.", filename, linenum);
> -		if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
> +		if (*arg != '-' &&
> +		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
>  			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (*activep && options->ciphers == NULL)
> @@ -1190,7 +1191,8 @@ parse_int:
>  		arg = strdelim(&s);
>  		if (!arg || *arg == '\0')
>  			fatal("%.200s line %d: Missing argument.", filename, linenum);
> -		if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
> +		if (*arg != '-' &&
> +		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
>  			fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (*activep && options->macs == NULL)
> @@ -1203,7 +1205,8 @@ parse_int:
>  			fatal("%.200s line %d: Missing argument.",
>  			    filename, linenum);
>  		if (*arg != '-' &&
> -		    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
> +		    !kex_names_valid(*arg == '+' || *arg == '^' ?
> +		    arg + 1 : arg))
>  			fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (*activep && options->kex_algorithms == NULL)
> @@ -1218,7 +1221,8 @@ parse_keytypes:
>  			fatal("%.200s line %d: Missing argument.",
>  			    filename, linenum);
>  		if (*arg != '-' &&
> -		    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
> +		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
> +		    arg + 1 : arg, 1))
>  			fatal("%s line %d: Bad key types '%s'.",
>  				filename, linenum, arg ? arg : "<NONE>");
>  		if (*activep && *charptr == NULL)
> Index: servconf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
> retrieving revision 1.350
> diff -u -p -r1.350 servconf.c
> --- servconf.c	25 Mar 2019 22:33:44 -0000	1.350
> +++ servconf.c	31 Mar 2019 08:59:14 -0000
> @@ -1379,7 +1379,8 @@ process_server_config_line(ServerOptions
>  			fatal("%s line %d: Missing argument.",
>  			    filename, linenum);
>  		if (*arg != '-' &&
> -		    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
> +		    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
> +		    arg + 1 : arg, 1))
>  			fatal("%s line %d: Bad key types '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (*activep && *charptr == NULL)
> @@ -1650,7 +1651,8 @@ process_server_config_line(ServerOptions
>  		arg = strdelim(&cp);
>  		if (!arg || *arg == '\0')
>  			fatal("%s line %d: Missing argument.", filename, linenum);
> -		if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
> +		if (*arg != '-' &&
> +		    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
>  			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (options->ciphers == NULL)
> @@ -1661,7 +1663,8 @@ process_server_config_line(ServerOptions
>  		arg = strdelim(&cp);
>  		if (!arg || *arg == '\0')
>  			fatal("%s line %d: Missing argument.", filename, linenum);
> -		if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
> +		if (*arg != '-' &&
> +		    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
>  			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (options->macs == NULL)
> @@ -1674,7 +1677,8 @@ process_server_config_line(ServerOptions
>  			fatal("%s line %d: Missing argument.",
>  			    filename, linenum);
>  		if (*arg != '-' &&
> -		    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
> +		    !kex_names_valid(*arg == '+' || *arg == '^' ?
> +		    arg + 1 : arg))
>  			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
>  			    filename, linenum, arg ? arg : "<NONE>");
>  		if (options->kex_algorithms == NULL)
> Index: ssh.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
> retrieving revision 1.500
> diff -u -p -r1.500 ssh.c
> --- ssh.c	19 Jan 2019 21:43:56 -0000	1.500
> +++ ssh.c	31 Mar 2019 09:01:29 -0000
> @@ -848,7 +848,7 @@ main(int ac, char **av)
>  			}
>  			break;
>  		case 'c':
> -			if (!ciphers_valid(*optarg == '+' ?
> +			if (!ciphers_valid(*optarg == '+' || *optarg == '^' ?
>  			    optarg + 1 : optarg)) {
>  				fprintf(stderr, "Unknown cipher type '%s'\n",
>  				    optarg);
> Index: ssh_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
> retrieving revision 1.292
> diff -u -p -r1.292 ssh_config.5
> --- ssh_config.5	1 Mar 2019 02:16:47 -0000	1.292
> +++ ssh_config.5	31 Mar 2019 09:40:24 -0000
> @@ -430,6 +430,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified ciphers (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified ciphers will be placed at the head of the
> +default set.
>  .Pp
>  The supported ciphers are:
>  .Bd -literal -offset indent
> @@ -794,6 +798,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified key types (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
>  The default for this option is:
>  .Bd -literal -offset 3n
>  ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -822,6 +830,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified key types (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
>  The default for this option is:
>  .Bd -literal -offset 3n
>  ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -1052,6 +1064,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified methods (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified methods will be placed at the head of the
> +default set.
>  The default is:
>  .Bd -literal -offset indent
>  curve25519-sha256,curve25519-sha256@xxxxxxxxxx,
> @@ -1133,6 +1149,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified algorithms (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified algorithms will be placed at the head of the
> +default set.
>  .Pp
>  The algorithms that contain
>  .Qq -etm
> @@ -1290,6 +1310,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified key types (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
>  The default for this option is:
>  .Bd -literal -offset 3n
>  ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.284
> diff -u -p -r1.284 sshd_config.5
> --- sshd_config.5	22 Mar 2019 20:58:34 -0000	1.284
> +++ sshd_config.5	31 Mar 2019 09:41:21 -0000
> @@ -466,6 +466,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified ciphers (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified ciphers will be placed at the head of the
> +default set.
>  .Pp
>  The supported ciphers are:
>  .Pp
> @@ -680,6 +684,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified key types (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
>  The default for this option is:
>  .Bd -literal -offset 3n
>  ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -885,6 +893,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified methods (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified methods will be placed at the head of the
> +default set.
>  The supported algorithms are:
>  .Pp
>  .Bl -item -compact -offset indent
> @@ -1002,6 +1014,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified algorithms (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified algorithms will be placed at the head of the
> +default set.
>  .Pp
>  The algorithms that contain
>  .Qq -etm
> @@ -1407,6 +1423,10 @@ If the specified value begins with a
>  .Sq -
>  character, then the specified key types (including wildcards) will be removed
>  from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
>  The default for this option is:
>  .Bd -literal -offset 3n
>  ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> -- 
> Christian "naddy" Weisgerber                          naddy@xxxxxxxxxxxx
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux