diff options
author | djm@openbsd.org <djm@openbsd.org> | 2021-12-19 22:14:47 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2021-12-20 09:28:08 +1100 |
commit | c385abf76511451bcba78568167b1cd9e90587d5 (patch) | |
tree | 0cb4abdca995faad6068b7edb22952b120960f96 /readconf.c | |
parent | 34b1e9cc7654f41cd4c5b1cc290b999dcf6579bb (diff) | |
download | openssh-git-c385abf76511451bcba78568167b1cd9e90587d5.tar.gz |
upstream: PubkeyAuthentication=yes|no|unbound|host-bound
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.
feedback / ok markus@
OpenBSD-Commit-ID: ee52580db95c355cf6d563ba89974c210e603b1a
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 18 |
1 files changed, 15 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.364 2021/12/19 22:14:47 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -890,6 +890,15 @@ static const struct multistate multistate_canonicalizehostname[] = { { "always", SSH_CANONICALISE_ALWAYS }, { NULL, -1 } }; +static const struct multistate multistate_pubkey_auth[] = { + { "true", SSH_PUBKEY_AUTH_ALL }, + { "false", SSH_PUBKEY_AUTH_NO }, + { "yes", SSH_PUBKEY_AUTH_ALL }, + { "no", SSH_PUBKEY_AUTH_NO }, + { "unbound", SSH_PUBKEY_AUTH_UNBOUND }, + { "host-bound", SSH_PUBKEY_AUTH_HBOUND }, + { NULL, -1 } +}; static const struct multistate multistate_compression[] = { #ifdef WITH_ZLIB { "yes", COMP_ZLIB }, @@ -1102,8 +1111,9 @@ parse_time: goto parse_string; case oPubkeyAuthentication: + multistate_ptr = multistate_pubkey_auth; intptr = &options->pubkey_authentication; - goto parse_flag; + goto parse_multistate; case oHostbasedAuthentication: intptr = &options->hostbased_authentication; @@ -2487,7 +2497,7 @@ fill_default_options(Options * options) if (options->fwd_opts.streamlocal_bind_unlink == -1) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->pubkey_authentication == -1) - options->pubkey_authentication = 1; + options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) @@ -3137,6 +3147,8 @@ fmt_intarg(OpCodes code, int val) return fmt_multistate_int(val, multistate_canonicalizehostname); case oAddKeysToAgent: return fmt_multistate_int(val, multistate_yesnoaskconfirm); + case oPubkeyAuthentication: + return fmt_multistate_int(val, multistate_pubkey_auth); case oFingerprintHash: return ssh_digest_alg_name(val); default: |