add PubKeyAcceptedRSAExt option

Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
nunojpg · Mar 31, 2017 · 1739ace · 1739ace
1 parent d904886
commit 1739ace
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 6 deletions.
diff --git a/kex.c b/kex.c
@@ -375,7 +375,7 @@ kex_send_newkeys(struct ssh *ssh)
 }
 
 int
-kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
+kex_input_ext_info(int type, u_int32_t seq, void *ctxt, int pubkey_rsa_ext)
 {
 	struct ssh *ssh = ctxt;
 	struct kex *kex = ssh->kex;
@@ -397,12 +397,12 @@ kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
 		debug("%s: %s=<%s>", __func__, name, val);
 		if (strcmp(name, "server-sig-algs") == 0) {
 			found = match_list("rsa-sha2-256", val, NULL);
-			if (found) {
+			if (found && (pubkey_rsa_ext == 0 || pubkey_rsa_ext == 2)) {
 				kex->rsa_sha2 = 256;
 				free(found);
 			}
 			found = match_list("rsa-sha2-512", val, NULL);
-			if (found) {
+			if (found && (pubkey_rsa_ext == 0 || pubkey_rsa_ext == 3)) {
 				kex->rsa_sha2 = 512;
 				free(found);
 			}

diff --git a/kex.h b/kex.h
@@ -182,7 +182,7 @@ void	 kex_prop_free(char **);
 
 int	 kex_send_kexinit(struct ssh *);
 int	 kex_input_kexinit(int, u_int32_t, void *);
-int	 kex_input_ext_info(int, u_int32_t, void *);
+int	 kex_input_ext_info(int, u_int32_t, void *, int);
 int	 kex_derive_keys(struct ssh *, u_char *, u_int, const struct sshbuf *);
 int	 kex_derive_keys_bn(struct ssh *, u_char *, u_int, const BIGNUM *);
 int	 kex_send_newkeys(struct ssh *);

diff --git a/readconf.c b/readconf.c
@@ -170,7 +170,7 @@ typedef enum {
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
-	oPubkeyAcceptedKeyTypes, oProxyJump,
+	oPubkeyAcceptedKeyTypes, oPubkeyAcceptedRSAExt, oProxyJump,
 	oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -306,6 +306,7 @@ static struct {
 	{ "updatehostkeys", oUpdateHostkeys },
 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+	{ "pubkeyacceptedrsaext", oPubkeyAcceptedRSAExt },
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
 
@@ -769,6 +770,13 @@ static const struct multistate multistate_addressfamily[] = {
 	{ "any",			AF_UNSPEC },
 	{ NULL, -1 }
 };
+static const struct multistate multistate_pubkeyrsaext[] = {
+	{ "any",			0 },
+	{ "sha1-only",		1 },
+	{ "sha2-256",		2 },
+	{ "sha2-512",		3 },
+	{ NULL, -1 }
+};
 static const struct multistate multistate_controlmaster[] = {
 	{ "true",			SSHCTL_MASTER_YES },
 	{ "yes",			SSHCTL_MASTER_YES },
@@ -1225,6 +1233,11 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
 			options->kex_algorithms = xstrdup(arg);
 		break;
 
+	case oPubkeyAcceptedRSAExt:
+		intptr = &options->pubkey_rsa_ext;
+		multistate_ptr = multistate_pubkeyrsaext;
+		goto parse_multistate;
+
 	case oHostKeyAlgorithms:
 		charptr = &options->hostkeyalgorithms;
 parse_keytypes:
@@ -1879,6 +1892,7 @@ initialize_options(Options * options)
 	options->update_hostkeys = -1;
 	options->hostbased_key_types = NULL;
 	options->pubkey_key_types = NULL;
+	options->pubkey_rsa_ext = -1;
 }
 
 /*
@@ -1968,6 +1982,8 @@ fill_default_options(Options * options)
 		options->port = 0;	/* Filled in ssh_connect. */
 	if (options->address_family == -1)
 		options->address_family = AF_UNSPEC;
+	if (options->pubkey_rsa_ext == -1)
+		options->pubkey_rsa_ext = 0;
 	if (options->connection_attempts == -1)
 		options->connection_attempts = 1;
 	if (options->number_of_password_prompts == -1)
@@ -2514,6 +2530,7 @@ dump_client_config(Options *o, const char *host)
 
 	/* Flag options */
 	dump_cfg_fmtint(oAddressFamily, o->address_family);
+	dump_cfg_fmtint(oPubkeyAcceptedRSAExt, o->pubkey_rsa_ext);
 	dump_cfg_fmtint(oBatchMode, o->batch_mode);
 	dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
 	dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);

diff --git a/readconf.h b/readconf.h
@@ -162,6 +162,7 @@ typedef struct {
 
 	char   *hostbased_key_types;
 	char   *pubkey_key_types;
+	int    pubkey_rsa_ext;
 
 	char   *jump_user;
 	char   *jump_host;

diff --git a/ssh_config.5 b/ssh_config.5
@@ -246,6 +246,15 @@ Valid arguments are
 (use IPv4 only), or
 .Cm inet6
 (use IPv6 only).
+.It Cm PubKeyAcceptedRSAExt
+Specifies which signature algorithms to use when using ssh-rsa public key authentication
+Valid arguments are
+.Cm any
+(the default, accept SHA-2 512, SHA-2 256 or SHA-1, prefer by this order),
+.Cm sha1
+(accept SHA-1 only), or
+.Cm sha2-256
+(accept SHA-2 256 or SHA-1, prefer by this order)
 .It Cm BatchMode
 If set to
 .Cm yes ,

diff --git a/sshconnect2.c b/sshconnect2.c
@@ -448,7 +448,7 @@ input_userauth_service_accept(int type, u_int32_t seqnr, void *ctxt)
 int
 input_userauth_ext_info(int type, u_int32_t seqnr, void *ctxt)
 {
-	return kex_input_ext_info(type, seqnr, active_state);
+	return kex_input_ext_info(type, seqnr, active_state, options.pubkey_rsa_ext);
 }
 
 void