no objection, but this and your scp change will have to wait until after
release (both openssh-8.0 and OpenBSD-6.5)
On Sun, 31 Mar 2019, Christian Weisgerber wrote:
> ssh_config(5) and sshd_config(5) already allow adding '+' and
> removing '-' an algorithm from the default list. Oddly, I mostly
> find myself wanting to prefer an algorithm, i.e., place it at the
> head of the list without removing anything. The patch below adds
> this ability. To prefer algorithms, prefix them with '^'. E.g.:
>
> HostKeyAlgorithms ^ssh-ed25519
> Ciphers ^aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
>
>
> Index: kex.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/kex.c,v
> retrieving revision 1.150
> diff -u -p -r1.150 kex.c
> --- kex.c 21 Jan 2019 12:08:13 -0000 1.150
> +++ kex.c 31 Mar 2019 09:21:04 -0000
> @@ -202,8 +202,9 @@ kex_names_cat(const char *a, const char
> /*
> * Assemble a list of algorithms from a default list and a string from a
> * configuration file. The user-provided string may begin with '+' to
> - * indicate that it should be appended to the default or '-' that the
> - * specified names should be removed.
> + * indicate that it should be appended to the default, '-' that the
> + * specified names should be removed, or '^' that they should be placed
> + * at the head.
> */
> int
> kex_assemble_names(char **listp, const char *def, const char *all)
> @@ -237,6 +238,14 @@ kex_assemble_names(char **listp, const c
> free(list);
> /* filtering has already been done */
> return 0;
> + } else if (*list == '^') {
> + /* Place names at head of default list */
> + if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
> + r = SSH_ERR_ALLOC_FAIL;
> + goto fail;
> + }
> + free(list);
> + list = tmp;
> } else {
> /* Explicit list, overrides default - just use "list" as is */
> }
> Index: readconf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/readconf.c,v
> retrieving revision 1.304
> diff -u -p -r1.304 readconf.c
> --- readconf.c 1 Mar 2019 02:08:50 -0000 1.304
> +++ readconf.c 31 Mar 2019 08:59:57 -0000
> @@ -1179,7 +1179,8 @@ parse_int:
> arg = strdelim(&s);
> if (!arg || *arg == '\0')
> fatal("%.200s line %d: Missing argument.", filename, linenum);
> - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
> + if (*arg != '-' &&
> + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
> fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (*activep && options->ciphers == NULL)
> @@ -1190,7 +1191,8 @@ parse_int:
> arg = strdelim(&s);
> if (!arg || *arg == '\0')
> fatal("%.200s line %d: Missing argument.", filename, linenum);
> - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
> + if (*arg != '-' &&
> + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
> fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (*activep && options->macs == NULL)
> @@ -1203,7 +1205,8 @@ parse_int:
> fatal("%.200s line %d: Missing argument.",
> filename, linenum);
> if (*arg != '-' &&
> - !kex_names_valid(*arg == '+' ? arg + 1 : arg))
> + !kex_names_valid(*arg == '+' || *arg == '^' ?
> + arg + 1 : arg))
> fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (*activep && options->kex_algorithms == NULL)
> @@ -1218,7 +1221,8 @@ parse_keytypes:
> fatal("%.200s line %d: Missing argument.",
> filename, linenum);
> if (*arg != '-' &&
> - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
> + !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
> + arg + 1 : arg, 1))
> fatal("%s line %d: Bad key types '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (*activep && *charptr == NULL)
> Index: servconf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
> retrieving revision 1.350
> diff -u -p -r1.350 servconf.c
> --- servconf.c 25 Mar 2019 22:33:44 -0000 1.350
> +++ servconf.c 31 Mar 2019 08:59:14 -0000
> @@ -1379,7 +1379,8 @@ process_server_config_line(ServerOptions
> fatal("%s line %d: Missing argument.",
> filename, linenum);
> if (*arg != '-' &&
> - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
> + !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
> + arg + 1 : arg, 1))
> fatal("%s line %d: Bad key types '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (*activep && *charptr == NULL)
> @@ -1650,7 +1651,8 @@ process_server_config_line(ServerOptions
> arg = strdelim(&cp);
> if (!arg || *arg == '\0')
> fatal("%s line %d: Missing argument.", filename, linenum);
> - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
> + if (*arg != '-' &&
> + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
> fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (options->ciphers == NULL)
> @@ -1661,7 +1663,8 @@ process_server_config_line(ServerOptions
> arg = strdelim(&cp);
> if (!arg || *arg == '\0')
> fatal("%s line %d: Missing argument.", filename, linenum);
> - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
> + if (*arg != '-' &&
> + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
> fatal("%s line %d: Bad SSH2 mac spec '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (options->macs == NULL)
> @@ -1674,7 +1677,8 @@ process_server_config_line(ServerOptions
> fatal("%s line %d: Missing argument.",
> filename, linenum);
> if (*arg != '-' &&
> - !kex_names_valid(*arg == '+' ? arg + 1 : arg))
> + !kex_names_valid(*arg == '+' || *arg == '^' ?
> + arg + 1 : arg))
> fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
> filename, linenum, arg ? arg : "<NONE>");
> if (options->kex_algorithms == NULL)
> Index: ssh.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
> retrieving revision 1.500
> diff -u -p -r1.500 ssh.c
> --- ssh.c 19 Jan 2019 21:43:56 -0000 1.500
> +++ ssh.c 31 Mar 2019 09:01:29 -0000
> @@ -848,7 +848,7 @@ main(int ac, char **av)
> }
> break;
> case 'c':
> - if (!ciphers_valid(*optarg == '+' ?
> + if (!ciphers_valid(*optarg == '+' || *optarg == '^' ?
> optarg + 1 : optarg)) {
> fprintf(stderr, "Unknown cipher type '%s'\n",
> optarg);
> Index: ssh_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
> retrieving revision 1.292
> diff -u -p -r1.292 ssh_config.5
> --- ssh_config.5 1 Mar 2019 02:16:47 -0000 1.292
> +++ ssh_config.5 31 Mar 2019 09:40:24 -0000
> @@ -430,6 +430,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified ciphers (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified ciphers will be placed at the head of the
> +default set.
> .Pp
> The supported ciphers are:
> .Bd -literal -offset indent
> @@ -794,6 +798,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified key types (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
> The default for this option is:
> .Bd -literal -offset 3n
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -822,6 +830,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified key types (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
> The default for this option is:
> .Bd -literal -offset 3n
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -1052,6 +1064,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified methods (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified methods will be placed at the head of the
> +default set.
> The default is:
> .Bd -literal -offset indent
> curve25519-sha256,curve25519-sha256@xxxxxxxxxx,
> @@ -1133,6 +1149,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified algorithms (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified algorithms will be placed at the head of the
> +default set.
> .Pp
> The algorithms that contain
> .Qq -etm
> @@ -1290,6 +1310,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified key types (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
> The default for this option is:
> .Bd -literal -offset 3n
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.284
> diff -u -p -r1.284 sshd_config.5
> --- sshd_config.5 22 Mar 2019 20:58:34 -0000 1.284
> +++ sshd_config.5 31 Mar 2019 09:41:21 -0000
> @@ -466,6 +466,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified ciphers (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified ciphers will be placed at the head of the
> +default set.
> .Pp
> The supported ciphers are:
> .Pp
> @@ -680,6 +684,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified key types (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
> The default for this option is:
> .Bd -literal -offset 3n
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> @@ -885,6 +893,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified methods (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified methods will be placed at the head of the
> +default set.
> The supported algorithms are:
> .Pp
> .Bl -item -compact -offset indent
> @@ -1002,6 +1014,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified algorithms (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified algorithms will be placed at the head of the
> +default set.
> .Pp
> The algorithms that contain
> .Qq -etm
> @@ -1407,6 +1423,10 @@ If the specified value begins with a
> .Sq -
> character, then the specified key types (including wildcards) will be removed
> from the default set instead of replacing them.
> +If the specified value begins with a
> +.Sq ^
> +character, then the specified key types will be placed at the head of the
> +default set.
> The default for this option is:
> .Bd -literal -offset 3n
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
> --
> Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
