-/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.364 2021/12/19 22:14:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
{ "always", SSH_CANONICALISE_ALWAYS },
{ NULL, -1 }
};
+static const struct multistate multistate_pubkey_auth[] = {
+ { "true", SSH_PUBKEY_AUTH_ALL },
+ { "false", SSH_PUBKEY_AUTH_NO },
+ { "yes", SSH_PUBKEY_AUTH_ALL },
+ { "no", SSH_PUBKEY_AUTH_NO },
+ { "unbound", SSH_PUBKEY_AUTH_UNBOUND },
+ { "host-bound", SSH_PUBKEY_AUTH_HBOUND },
+ { NULL, -1 }
+};
static const struct multistate multistate_compression[] = {
#ifdef WITH_ZLIB
{ "yes", COMP_ZLIB },
goto parse_string;
case oPubkeyAuthentication:
+ multistate_ptr = multistate_pubkey_auth;
intptr = &options->pubkey_authentication;
- goto parse_flag;
+ goto parse_multistate;
case oHostbasedAuthentication:
intptr = &options->hostbased_authentication;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->pubkey_authentication == -1)
- options->pubkey_authentication = 1;
+ options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
return fmt_multistate_int(val, multistate_canonicalizehostname);
case oAddKeysToAgent:
return fmt_multistate_int(val, multistate_yesnoaskconfirm);
+ case oPubkeyAuthentication:
+ return fmt_multistate_int(val, multistate_pubkey_auth);
case oFingerprintHash:
return ssh_digest_alg_name(val);
default:
-/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.146 2021/12/19 22:14:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
+#define SSH_PUBKEY_AUTH_NO 0x00
+#define SSH_PUBKEY_AUTH_UNBOUND 0x01
+#define SSH_PUBKEY_AUTH_HBOUND 0x02
+#define SSH_PUBKEY_AUTH_ALL 0x03
+
#define SSH_CANONICALISE_NO 0
#define SSH_CANONICALISE_YES 1
#define SSH_CANONICALISE_ALWAYS 2
-/* $OpenBSD: sshconnect2.c,v 1.353 2021/12/19 22:12:54 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.354 2021/12/19 22:14:47 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
int r, fallback_sigtype, sent = 0;
char *alg = NULL, *fp = NULL;
const char *loc = "", *method = "publickey";
+ int hostbound = 0;
/* prefer host-bound pubkey signatures if supported by server */
- if ((ssh->kex->flags & KEX_HAS_PUBKEY_HOSTBOUND) != 0)
+ if ((ssh->kex->flags & KEX_HAS_PUBKEY_HOSTBOUND) != 0 &&
+ (options.pubkey_authentication & SSH_PUBKEY_AUTH_HBOUND) != 0) {
+ hostbound = 1;
method = "publickey-hostbound-v00@openssh.com";
+ }
if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
return 0;
- debug3_f("%s %s", sshkey_type(id->key), fp);
+ debug3_f("using %s with %s %s", method, sshkey_type(id->key), fp);
/*
* If the key is an certificate, try to find a matching private key
(r = sshkey_puts(id->key, b)) != 0) {
fatal_fr(r, "assemble signed data");
}
- if ((ssh->kex->flags & KEX_HAS_PUBKEY_HOSTBOUND) != 0) {
+ if (hostbound) {
if (ssh->kex->initial_hostkey == NULL) {
fatal_f("internal error: initial hostkey "
"not recorded");
projects / openbsd / commitdiff