From: dtucker Date: Fri, 12 Mar 2021 04:08:19 +0000 (+0000) Subject: Add ModuliFile keyword to sshd_config to specify the location of the X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d52d8133ea7b8feff5a692c9bfb39a9dad791404;p=openbsd Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ --- diff --git a/usr.bin/ssh/dh.c b/usr.bin/ssh/dh.c index b9e3484152d..4242f78b2d9 100644 --- a/usr.bin/ssh/dh.c +++ b/usr.bin/ssh/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.72 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.73 2021/03/12 04:08:19 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -38,6 +38,18 @@ #include "misc.h" #include "ssherr.h" +static const char *moduli_filename; + +void dh_set_moduli_file(const char *filename) +{ + moduli_filename = filename; +} + +static const char * get_moduli_filename(void) +{ + return moduli_filename ? moduli_filename : _PATH_DH_MODULI; +} + static int parse_prime(int linenum, char *line, struct dhgroup *dhg) { @@ -145,9 +157,9 @@ choose_dh(int min, int wantbits, int max) int best, bestcount, which, linenum; struct dhgroup dhg; - if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { + if ((f = fopen(get_moduli_filename(), "r")) == NULL) { logit("WARNING: could not open %s (%s), using fixed modulus", - _PATH_DH_MODULI, strerror(errno)); + get_moduli_filename(), strerror(errno)); return (dh_new_group_fallback(max)); } @@ -178,7 +190,8 @@ choose_dh(int min, int wantbits, int max) if (bestcount == 0) { fclose(f); - logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI); + logit("WARNING: no suitable primes in %s", + get_moduli_filename()); return (dh_new_group_fallback(max)); } which = arc4random_uniform(bestcount); @@ -203,7 +216,7 @@ choose_dh(int min, int wantbits, int max) fclose(f); if (bestcount != which + 1) { logit("WARNING: selected prime disappeared in %s, giving up", - _PATH_DH_MODULI); + get_moduli_filename()); return (dh_new_group_fallback(max)); } diff --git a/usr.bin/ssh/dh.h b/usr.bin/ssh/dh.h index 5d6df629701..c6326a39d53 100644 --- a/usr.bin/ssh/dh.h +++ b/usr.bin/ssh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.18 2019/09/06 05:23:55 djm Exp $ */ +/* $OpenBSD: dh.h,v 1.19 2021/03/12 04:08:19 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. @@ -47,6 +47,7 @@ int dh_gen_key(DH *, int); int dh_pub_is_valid(const DH *, const BIGNUM *); u_int dh_estimate(int); +void dh_set_moduli_file(const char *); /* * Max value from RFC4419. diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 9e2b042db71..0a945efa141 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.377 2021/02/24 01:18:08 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.378 2021/03/12 04:08:19 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -280,6 +280,8 @@ fill_default_server_options(ServerOptions *options) add_listen_addr(options, NULL, NULL, 0); if (options->pid_file == NULL) options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); + if (options->moduli_file == NULL) + options->moduli_file = xstrdup(_PATH_DH_MODULI); if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) @@ -471,7 +473,7 @@ typedef enum { sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, + sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, @@ -511,6 +513,7 @@ static struct { { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, + { "modulifile", sModuliFile, SSHCFG_GLOBAL }, { "serverkeybits", sDeprecated, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, @@ -1393,6 +1396,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, } break; + case sModuliFile: + charptr = &options->moduli_file; + goto parse_filename; + case sPermitRootLogin: intptr = &options->permit_root_login; multistate_ptr = multistate_permitrootlogin; @@ -2806,6 +2813,7 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); + dump_cfg_string(sModuliFile, o->moduli_file); dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sCiphers, o->ciphers); dump_cfg_string(sMacs, o->macs); diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index 09f76ffd68b..c0bc0509a56 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.151 2021/01/26 05:32:21 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.152 2021/03/12 04:08:19 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -93,6 +93,7 @@ typedef struct { char *host_key_agent; /* ssh-agent socket for host keys. */ char *pid_file; /* Where to put our pid */ + char *moduli_file; /* moduli file for DH-GEX */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */ int permit_root_login; /* PERMIT_*, see above */ diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 8ffa2a51b2e..8a6a1b4c3a4 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.570 2021/02/05 02:20:23 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.571 2021/03/12 04:08:19 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -107,6 +107,7 @@ #include "ssherr.h" #include "sk-api.h" #include "srclimit.h" +#include "dh.h" /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) @@ -1614,6 +1615,9 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, cfg, &includes, NULL); + if (options.moduli_file != NULL) + dh_set_moduli_file(options.moduli_file); + /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index b84916c456c..b9a44a7c108 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.328 2021/02/27 23:42:37 djm Exp $ -.Dd $Mdocdate: February 27 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.329 2021/03/12 04:08:19 dtucker Exp $ +.Dd $Mdocdate: March 12 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1258,6 +1258,16 @@ will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60). +.It Cm ModuliFile +Specifies the +.Xr moduli 5 +file that contains the Diffie-Hellman groups used for the +.Dq diffie-hellman-group-exchange-sha1 +and +.Dq diffie-hellman-group-exchange-sha256 +key exchange methods. +The default is +.Pa /etc/moduli . .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is