diff options
| author |   djm <djm@openbsd.org> | 2015-01-13 07:39:19 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2015-01-13 07:39:19 +0000 |
| commit | dc9cac76df6e44b19c92737fba575da89ba76ff4 (patch) | |
| tree | 31291f9b74a6faef4ab772389046bcdbfd6f8375 /usr.bin/ssh/sshkey.c | |
| parent | Remove unnecessary calls to __atexit_register_cleanup(), calling __sinit() (diff) | |
| download | wireguard-openbsd-dc9cac76df6e44b19c92737fba575da89ba76ff4.tar.xz wireguard-openbsd-dc9cac76df6e44b19c92737fba575da89ba76ff4.zip | |
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow sshd to control what public key types will be
accepted. Currently defaults to all. Feedback & ok markus@
Diffstat (limited to 'usr.bin/ssh/sshkey.c')
| -rw-r--r-- | usr.bin/ssh/sshkey.c | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 1fd3136340f..5116fad5028 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.10 2015/01/12 20:13:27 markus Exp $ */ +/* $OpenBSD: sshkey.c,v 1.11 2015/01/13 07:39:19 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -50,6 +50,7 @@ #include "digest.h" #define SSHKEY_INTERNAL #include "sshkey.h" +#include "match.h" /* openssh private key file format */ #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" @@ -207,9 +208,11 @@ key_alg_list(int certs_only, int plain_only) } int -sshkey_names_valid2(const char *names) +sshkey_names_valid2(const char *names, int allow_wildcard) { char *s, *cp, *p; + const struct keytype *kt; + int type; if (names == NULL || strcmp(names, "") == 0) return 0; @@ -217,9 +220,28 @@ sshkey_names_valid2(const char *names) return 0; for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { - switch (sshkey_type_from_name(p)) { - case KEY_RSA1: - case KEY_UNSPEC: + type = sshkey_type_from_name(p); + if (type == KEY_RSA1) { + free(s); + return 0; + } + if (type == KEY_UNSPEC) { + if (allow_wildcard) { + /* + * Try matching key types against the string. + * If any has a positive or negative match then + * the component is accepted. + */ + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == KEY_RSA1) + continue; + if (match_pattern_list(kt->name, + p, strlen(p), 0) != 0) + break; + } + if (kt->type != -1) + continue; + } free(s); return 0; } |