From ee9c0da8035b3168e8e57c1dedc2d1b0daf00eec Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 22 Jan 2021 02:44:58 +0000 Subject: upstream: Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5 --- sshconnect2.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'sshconnect2.c') diff --git a/sshconnect2.c b/sshconnect2.c index 108fd970..de89b761 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.341 2021/01/08 02:57:24 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.342 2021/01/22 02:44:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1191,16 +1191,16 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), - options.pubkey_key_types, NULL); + options.pubkey_accepted_algos, NULL); } /* * For RSA keys/certs, since these might have a different sig type: - * find the first entry in PubkeyAcceptedKeyTypes of the right type + * find the first entry in PubkeyAcceptedAlgorithms of the right type * that also appears in the supported signature algorithms list from * the server. */ - oallowed = allowed = xstrdup(options.pubkey_key_types); + oallowed = allowed = xstrdup(options.pubkey_accepted_algos); while ((cp = strsep(&allowed, ",")) != NULL) { if (sshkey_type_from_name(cp) != key->type) continue; @@ -1597,25 +1597,25 @@ static int key_type_allowed_by_config(struct sshkey *key) { if (match_pattern_list(sshkey_ssh_name(key), - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; /* RSA keys/certs might be allowed by alternate signature types */ switch (key->type) { case KEY_RSA: if (match_pattern_list("rsa-sha2-512", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; if (match_pattern_list("rsa-sha2-256", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; break; case KEY_RSA_CERT: if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; break; } @@ -1757,11 +1757,11 @@ pubkey_prepare(Authctxt *authctxt) } /* append remaining keys from the config file */ TAILQ_CONCAT(preferred, &files, next); - /* finally, filter by PubkeyAcceptedKeyTypes */ + /* finally, filter by PubkeyAcceptedAlgorithms */ TAILQ_FOREACH_SAFE(id, preferred, next, id2) { if (id->key != NULL && !key_type_allowed_by_config(id->key)) { debug("Skipping %s key %s - " - "not in PubkeyAcceptedKeyTypes", + "corresponding algo not in PubkeyAcceptedAlgorithms", sshkey_ssh_name(id->key), id->filename); TAILQ_REMOVE(preferred, id, next); sshkey_free(id->key); -- cgit v1.2.1