1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
setting any value for HostKeyAlgorithms causes the known host keys to
be ignored for the purpose of determining the priority of algorithms.
This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
in ssh_config. The fix is to apply order_hostkeyalgs() if the user
specifies a HostKeyAlgorithms starting with "+".
diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200
@@ -100,7 +100,7 @@
}
static char *
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
{
char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
size_t maxlen;
@@ -116,7 +116,7 @@
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup(algs);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -181,18 +181,21 @@
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (options.hostkeyalgorithms != NULL) {
+ int append = options.hostkeyalgorithms[0] == '+';
if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options.hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_namelist", __func__);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
+ compat_pkalg_proposal(append
+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
+ : options.hostkeyalgorithms);
} else {
/* Enforce default */
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
- order_hostkeyalgs(host, hostaddr, port));
+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
}
if (options.rekey_limit || options.rekey_interval)
|