-/* $OpenBSD: auth2-pubkey.c,v 1.103 2020/12/22 00:12:22 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.104 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
logit("refusing previously-used %s key", sshkey_type(key));
goto done;
}
- if (match_pattern_list(pkalg, options.pubkey_key_types, 0) != 1) {
- logit_f("key type %s not in PubkeyAcceptedKeyTypes",
+ if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
+ logit_f("key type %s not in PubkeyAcceptedAlgorithms",
sshkey_ssh_name(key));
goto done;
}
-/* $OpenBSD: monitor.c,v 1.219 2020/12/29 00:59:15 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.220 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
if (auth2_key_already_used(authctxt, key))
break;
if (!key_base_type_match(auth_method, key,
- options.pubkey_key_types))
+ options.pubkey_accepted_algos))
break;
allowed = user_key_allowed(ssh, authctxt->pw, key,
pubkey_auth_attempt, &opts);
-/* $OpenBSD: readconf.c,v 1.348 2021/01/08 04:49:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.349 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
- oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
+ oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider, oKnownHostsCommand,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
{ "fingerprinthash", oFingerprintHash },
{ "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes },
- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
+ { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
-parse_keytypes:
+parse_pubkey_algos:
arg = strdelim(&s);
if (!arg || *arg == '\0') {
error("%.200s line %d: Missing argument.",
case oCASignatureAlgorithms:
charptr = &options->ca_sign_algorithms;
- goto parse_keytypes;
+ goto parse_pubkey_algos;
case oLogLevel:
log_level_ptr = &options->log_level;
case oHostbasedKeyTypes:
charptr = &options->hostbased_key_types;
- goto parse_keytypes;
+ goto parse_pubkey_algos;
- case oPubkeyAcceptedKeyTypes:
- charptr = &options->pubkey_key_types;
- goto parse_keytypes;
+ case oPubkeyAcceptedAlgorithms:
+ charptr = &options->pubkey_accepted_algos;
+ goto parse_pubkey_algos;
case oAddKeysToAgent:
arg = strdelim(&s);
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
options->hostbased_key_types = NULL;
- options->pubkey_key_types = NULL;
+ options->pubkey_accepted_algos = NULL;
options->known_hosts_command = NULL;
}
ASSEMBLE(macs, def_mac, all_mac);
ASSEMBLE(kex_algorithms, def_kex, all_kex);
ASSEMBLE(hostbased_key_types, def_key, all_key);
- ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
}
free(o->revoked_host_keys);
free(o->hostbased_key_types);
- free(o->pubkey_key_types);
+ free(o->pubkey_accepted_algos);
free(o->jump_user);
free(o->jump_host);
free(o->jump_extra);
#endif
dump_cfg_string(oSecurityKeyProvider, o->sk_provider);
dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
- dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
+ dump_cfg_string(oPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
dump_cfg_string(oXAuthLocation, o->xauth_location);
dump_cfg_string(oKnownHostsCommand, o->known_hosts_command);
-/* $OpenBSD: readconf.h,v 1.137 2020/12/22 00:15:23 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.138 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
char *hostbased_key_types;
- char *pubkey_key_types;
+ char *pubkey_accepted_algos;
char *jump_user;
char *jump_host;
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.92 2020/12/22 07:40:26 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.93 2021/01/22 02:44:58 dtucker Exp $
.\"
-.Dd $Mdocdate: December 22 2020 $
+.Dd $Mdocdate: January 22 2021 $
.Dt SCP 1
.Os
.Sh NAME
.It PreferredAuthentications
.It ProxyCommand
.It ProxyJump
-.It PubkeyAcceptedKeyTypes
+.It PubkeyAcceptedAlgorithms
.It PubkeyAuthentication
.It RekeyLimit
.It SendEnv
-/* $OpenBSD: servconf.c,v 1.373 2021/01/11 04:48:22 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.374 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->hostkeyalgorithms = NULL;
options->pubkey_authentication = -1;
options->pubkey_auth_options = -1;
- options->pubkey_key_types = NULL;
+ options->pubkey_accepted_algos = NULL;
options->kerberos_authentication = -1;
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
ASSEMBLE(kex_algorithms, def_kex, all_kex);
ASSEMBLE(hostkeyalgorithms, def_key, all_key);
ASSEMBLE(hostbased_key_types, def_key, all_key);
- ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
free(all_cipher);
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
- sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+ sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
- { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
+ { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
+ { "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef KRB5
case sHostbasedAcceptedKeyTypes:
charptr = &options->hostbased_key_types;
- parse_keytypes:
+ parse_pubkey_algos:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
case sHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
- goto parse_keytypes;
+ goto parse_pubkey_algos;
case sCASignatureAlgorithms:
charptr = &options->ca_sign_algorithms;
- goto parse_keytypes;
+ goto parse_pubkey_algos;
case sPubkeyAuthentication:
intptr = &options->pubkey_authentication;
goto parse_flag;
- case sPubkeyAcceptedKeyTypes:
- charptr = &options->pubkey_key_types;
- goto parse_keytypes;
+ case sPubkeyAcceptedAlgorithms:
+ charptr = &options->pubkey_accepted_algos;
+ goto parse_pubkey_algos;
case sPubkeyAuthOptions:
intptr = &options->pubkey_auth_options;
dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
- dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
+ dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
dump_cfg_string(sRDomain, o->routing_domain);
/* string arguments requiring a lookup */
-/* $OpenBSD: servconf.h,v 1.149 2021/01/09 12:10:02 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.150 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
char *hostkeyalgorithms; /* SSH2 server key types */
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
- char *pubkey_key_types; /* Key types allowed for public key */
+ char *pubkey_accepted_algos; /* Signature algos allowed for pubkey */
int pubkey_auth_options; /* -1 or mask of PUBKEYAUTH_* flags */
int kerberos_authentication; /* If true, permit Kerberos
* authentication. */
M_CP_STROPT(authorized_principals_command); \
M_CP_STROPT(authorized_principals_command_user); \
M_CP_STROPT(hostbased_key_types); \
- M_CP_STROPT(pubkey_key_types); \
+ M_CP_STROPT(pubkey_accepted_algos); \
M_CP_STROPT(ca_sign_algorithms); \
M_CP_STROPT(routing_domain); \
M_CP_STROPT(permit_user_env_allowlist); \
-.\" $OpenBSD: sftp.1,v 1.133 2020/12/22 07:40:26 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.134 2021/01/22 02:44:58 dtucker Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: December 22 2020 $
+.Dd $Mdocdate: January 22 2021 $
.Dt SFTP 1
.Os
.Sh NAME
.It PreferredAuthentications
.It ProxyCommand
.It ProxyJump
-.It PubkeyAcceptedKeyTypes
+.It PubkeyAcceptedAlgorithms
.It PubkeyAuthentication
.It RekeyLimit
.It SendEnv
-/* $OpenBSD: ssh.c,v 1.546 2020/12/20 23:40:19 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.547 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
else if (strcmp(optarg, "key-plain") == 0)
cp = sshkey_alg_list(0, 1, 0, '\n');
else if (strcmp(optarg, "key-sig") == 0 ||
- strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
+ strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
+ strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.342 2021/01/14 19:45:06 rob Exp $
-.Dd $Mdocdate: January 14 2021 $
+.\" $OpenBSD: ssh_config.5,v 1.343 2021/01/22 02:44:58 dtucker Exp $
+.Dd $Mdocdate: January 22 2021 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
instead of continuing to execute and pass data.
The default is
.Cm no .
-.It Cm PubkeyAcceptedKeyTypes
-Specifies the key types that will be used for public key authentication
-as a comma-separated list of patterns.
+.It Cm PubkeyAcceptedAlgorithms
+Specifies the signature algorithms that will be used for public key
+authentication as a comma-separated list of patterns.
If the specified list begins with a
.Sq +
-character, then the key types after it will be appended to the default
+character, then the algorithms after it will be appended to the default
instead of replacing it.
If the specified list begins with a
.Sq -
-character, then the specified key types (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
-character, then the specified key types will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
default set.
The default for this option is:
.Bd -literal -offset 3n
.Ed
.Pp
The list of available key types may also be obtained using
-.Qq ssh -Q PubkeyAcceptedKeyTypes .
+.Qq ssh -Q PubkeyAcceptedAlgorithms .
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
-/* $OpenBSD: sshconnect2.c,v 1.341 2021/01/08 02:57:24 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.342 2021/01/22 02:44:58 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
- options.pubkey_key_types, NULL);
+ options.pubkey_accepted_algos, NULL);
}
/*
* For RSA keys/certs, since these might have a different sig type:
- * find the first entry in PubkeyAcceptedKeyTypes of the right type
+ * find the first entry in PubkeyAcceptedAlgorithms of the right type
* that also appears in the supported signature algorithms list from
* the server.
*/
- oallowed = allowed = xstrdup(options.pubkey_key_types);
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
while ((cp = strsep(&allowed, ",")) != NULL) {
if (sshkey_type_from_name(cp) != key->type)
continue;
key_type_allowed_by_config(struct sshkey *key)
{
if (match_pattern_list(sshkey_ssh_name(key),
- options.pubkey_key_types, 0) == 1)
+ options.pubkey_accepted_algos, 0) == 1)
return 1;
/* RSA keys/certs might be allowed by alternate signature types */
switch (key->type) {
case KEY_RSA:
if (match_pattern_list("rsa-sha2-512",
- options.pubkey_key_types, 0) == 1)
+ options.pubkey_accepted_algos, 0) == 1)
return 1;
if (match_pattern_list("rsa-sha2-256",
- options.pubkey_key_types, 0) == 1)
+ options.pubkey_accepted_algos, 0) == 1)
return 1;
break;
case KEY_RSA_CERT:
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
- options.pubkey_key_types, 0) == 1)
+ options.pubkey_accepted_algos, 0) == 1)
return 1;
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
- options.pubkey_key_types, 0) == 1)
+ options.pubkey_accepted_algos, 0) == 1)
return 1;
break;
}
}
/* append remaining keys from the config file */
TAILQ_CONCAT(preferred, &files, next);
- /* finally, filter by PubkeyAcceptedKeyTypes */
+ /* finally, filter by PubkeyAcceptedAlgorithms */
TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
debug("Skipping %s key %s - "
- "not in PubkeyAcceptedKeyTypes",
+ "corresponding algo not in PubkeyAcceptedAlgorithms",
sshkey_ssh_name(id->key), id->filename);
TAILQ_REMOVE(preferred, id, next);
sshkey_free(id->key);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.323 2021/01/14 19:45:06 rob Exp $
-.Dd $Mdocdate: January 14 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.324 2021/01/22 02:44:58 dtucker Exp $
+.Dd $Mdocdate: January 22 2021 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
.Cm PermitTTY ,
.Cm PermitTunnel ,
.Cm PermitUserRC ,
-.Cm PubkeyAcceptedKeyTypes ,
+.Cm PubkeyAcceptedAlgorithms ,
.Cm PubkeyAuthentication ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
or equivalent.)
The default is
.Cm yes .
-.It Cm PubkeyAcceptedKeyTypes
-Specifies the key types that will be accepted for public key authentication
-as a list of comma-separated patterns.
+.It Cm PubkeyAcceptedAlgorithms
+Specifies the signature algorithms that will be accepted for public key
+authentication as a list of comma-separated patterns.
Alternately if the specified list begins with a
.Sq +
-character, then the specified key types will be appended to the default set
+character, then the specified algorithms will be appended to the default set
instead of replacing them.
If the specified list begins with a
.Sq -
-character, then the specified key types (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
-character, then the specified key types will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
default set.
The default for this option is:
.Bd -literal -offset 3n
.Ed
.Pp
The list of available key types may also be obtained using
-.Qq ssh -Q PubkeyAcceptedKeyTypes .
+.Qq ssh -Q PubkeyAcceptedAlgorithms .
.It Cm PubkeyAuthOptions
Sets one or more public key authentication options.
The supported keywords are:
projects / openbsd / commitdiff