pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / pkgs / tools / networking / openssh / fix-host-key-algorithms-plus.patch
at 16.09-beta 52 lines 2.2 kB view raw
1Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because 2setting any value for HostKeyAlgorithms causes the known host keys to 3be ignored for the purpose of determining the priority of algorithms. 4This was fixed upstream for HostKeyAlgorithms in sshd_config, but not 5in ssh_config. The fix is to apply order_hostkeyalgs() if the user 6specifies a HostKeyAlgorithms starting with "+". 7 8diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c 9--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100 10+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200 11@@ -100,7 +100,7 @@ 12 } 13 14 static char * 15-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) 16+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs) 17 { 18 char *oavail, *avail, *first, *last, *alg, *hostname, *ret; 19 size_t maxlen; 20@@ -116,7 +116,7 @@ 21 for (i = 0; i < options.num_system_hostfiles; i++) 22 load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); 23 24- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); 25+ oavail = avail = xstrdup(algs); 26 maxlen = strlen(avail) + 1; 27 first = xmalloc(maxlen); 28 last = xmalloc(maxlen); 29@@ -181,18 +181,21 @@ 30 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 31 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 32 if (options.hostkeyalgorithms != NULL) { 33+ int append = options.hostkeyalgorithms[0] == '+'; 34 if (kex_assemble_names(KEX_DEFAULT_PK_ALG, 35 &options.hostkeyalgorithms) != 0) 36 fatal("%s: kex_assemble_namelist", __func__); 37 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 38- compat_pkalg_proposal(options.hostkeyalgorithms); 39+ compat_pkalg_proposal(append 40+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms) 41+ : options.hostkeyalgorithms); 42 } else { 43 /* Enforce default */ 44 options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); 45 /* Prefer algorithms that we already have keys for */ 46 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 47 compat_pkalg_proposal( 48- order_hostkeyalgs(host, hostaddr, port)); 49+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); 50 } 51 52 if (options.rekey_limit || options.rekey_interval)