Google Git
Sign in
fuchsia / third_party / openssh-portable / 4ba0d54794814ec0de1ec87987d0c3b89379b436
commit4ba0d54794814ec0de1ec87987d0c3b89379b436[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Tue Jul 03 11:39:54 2018 +0000
committerDamien Miller <djm@mindrot.org>Tue Jul 03 23:26:36 2018 +1000
treeb8d904880f8927374b377b2e4d5661213c1138b6
parent95344c257412b51199ead18d54eaed5bafb75617 [diff]
upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
18 files changed
tree: b8d904880f8927374b377b2e4d5661213c1138b6
  1. contrib/
  2. openbsd-compat/
  3. regress/
  4. .depend
  5. .gitignore
  6. .skipped-commit-ids
  7. aclocal.m4
  8. addrmatch.c
  9. atomicio.c
  10. atomicio.h
  11. audit-bsm.c
  12. audit-linux.c
  13. audit.c
  14. audit.h
  15. auth-bsdauth.c
  16. auth-krb5.c
  17. auth-options.c
  18. auth-options.h
  19. auth-pam.c
  20. auth-pam.h
  21. auth-passwd.c
  22. auth-rhosts.c
  23. auth-shadow.c
  24. auth-sia.c
  25. auth-sia.h
  26. auth-skey.c
  27. auth.c
  28. auth.h
  29. auth2-chall.c
  30. auth2-gss.c
  31. auth2-hostbased.c
  32. auth2-kbdint.c
  33. auth2-none.c
  34. auth2-passwd.c
  35. auth2-pubkey.c
  36. auth2.c
  37. authfd.c
  38. authfd.h
  39. authfile.c
  40. authfile.h
  41. bitmap.c
  42. bitmap.h
  43. bufaux.c
  44. bufbn.c
  45. bufec.c
  46. buffer.c
  47. buffer.h
  48. buildpkg.sh.in
  49. canohost.c
  50. canohost.h
  51. chacha.c
  52. chacha.h
  53. channels.c
  54. channels.h
  55. cipher-aes.c
  56. cipher-aesctr.c
  57. cipher-aesctr.h
  58. cipher-chachapoly.c
  59. cipher-chachapoly.h
  60. cipher-ctr.c
  61. cipher.c
  62. cipher.h
  63. cleanup.c
  64. clientloop.c
  65. clientloop.h
  66. compat.c
  67. compat.h
  68. config.guess
  69. config.sub
  70. configure.ac
  71. crc32.c
  72. crc32.h
  73. CREDITS
  74. crypto_api.h
  75. defines.h
  76. dh.c
  77. dh.h
  78. digest-libc.c
  79. digest-openssl.c
  80. digest.h
  81. dispatch.c
  82. dispatch.h
  83. dns.c
  84. dns.h
  85. ed25519.c
  86. entropy.c
  87. entropy.h
  88. fatal.c
  89. fe25519.c
  90. fe25519.h
  91. fixalgorithms
  92. fixpaths
  93. ge25519.c
  94. ge25519.h
  95. ge25519_base.data
  96. groupaccess.c
  97. groupaccess.h
  98. gss-genr.c
  99. gss-serv-krb5.c
  100. gss-serv.c
  101. hash.c
  102. hmac.c
  103. hmac.h
  104. hostfile.c
  105. hostfile.h
  106. includes.h
  107. INSTALL
  108. install-sh
  109. kex.c
  110. kex.h
  111. kexc25519.c
  112. kexc25519c.c
  113. kexc25519s.c
  114. kexdh.c
  115. kexdhc.c
  116. kexdhs.c
  117. kexecdh.c
  118. kexecdhc.c
  119. kexecdhs.c
  120. kexgex.c
  121. kexgexc.c
  122. kexgexs.c
  123. key.c
  124. key.h
  125. krl.c
  126. krl.h
  127. LICENCE
  128. log.c
  129. log.h
  130. loginrec.c
  131. loginrec.h
  132. logintest.c
  133. mac.c
  134. mac.h
  135. Makefile.in
  136. match.c
  137. match.h
  138. md5crypt.c
  139. md5crypt.h
  140. mdoc2man.awk
  141. misc.c
  142. misc.h
  143. mkinstalldirs
  144. moduli
  145. moduli.5
  146. moduli.c
  147. monitor.c
  148. monitor.h
  149. monitor_fdpass.c
  150. monitor_fdpass.h
  151. monitor_wrap.c
  152. monitor_wrap.h
  153. msg.c
  154. msg.h
  155. mux.c
  156. myproposal.h
  157. nchan.c
  158. nchan.ms
  159. nchan2.ms
  160. opacket.c
  161. opacket.h
  162. openssh.xml.in
  163. opensshd.init.in
  164. OVERVIEW
  165. packet.c
  166. packet.h
  167. pathnames.h
  168. pkcs11.h
  169. platform-misc.c
  170. platform-pledge.c
  171. platform-tracing.c
  172. platform.c
  173. platform.h
  174. poly1305.c
  175. poly1305.h
  176. progressmeter.c
  177. progressmeter.h
  178. PROTOCOL
  179. PROTOCOL.agent
  180. PROTOCOL.certkeys
  181. PROTOCOL.chacha20poly1305
  182. PROTOCOL.key
  183. PROTOCOL.krl
  184. PROTOCOL.mux
  185. readconf.c
  186. readconf.h
  187. README
  188. README.dns
  189. README.platform
  190. README.privsep
  191. README.tun
  192. readpass.c
  193. rijndael.c
  194. rijndael.h
  195. sandbox-capsicum.c
  196. sandbox-darwin.c
  197. sandbox-null.c
  198. sandbox-pledge.c
  199. sandbox-rlimit.c
  200. sandbox-seccomp-filter.c
  201. sandbox-solaris.c
  202. sandbox-systrace.c
  203. sc25519.c
  204. sc25519.h
  205. scp.1
  206. scp.c
  207. servconf.c
  208. servconf.h
  209. serverloop.c
  210. serverloop.h
  211. session.c
  212. session.h
  213. sftp-client.c
  214. sftp-client.h
  215. sftp-common.c
  216. sftp-common.h
  217. sftp-glob.c
  218. sftp-server-main.c
  219. sftp-server.8
  220. sftp-server.c
  221. sftp.1
  222. sftp.c
  223. sftp.h
  224. smult_curve25519_ref.c
  225. ssh-add.1
  226. ssh-add.c
  227. ssh-agent.1
  228. ssh-agent.c
  229. ssh-dss.c
  230. ssh-ecdsa.c
  231. ssh-ed25519.c
  232. ssh-gss.h
  233. ssh-keygen.1
  234. ssh-keygen.c
  235. ssh-keyscan.1
  236. ssh-keyscan.c
  237. ssh-keysign.8
  238. ssh-keysign.c
  239. ssh-pkcs11-client.c
  240. ssh-pkcs11-helper.8
  241. ssh-pkcs11-helper.c
  242. ssh-pkcs11.c
  243. ssh-pkcs11.h
  244. ssh-rsa.c
  245. ssh-sandbox.h
  246. ssh-xmss.c
  247. ssh.1
  248. ssh.c
  249. ssh.h
  250. ssh2.h
  251. ssh_api.c
  252. ssh_api.h
  253. ssh_config
  254. ssh_config.5
  255. sshbuf-getput-basic.c
  256. sshbuf-getput-crypto.c
  257. sshbuf-misc.c
  258. sshbuf.c
  259. sshbuf.h
  260. sshconnect.c
  261. sshconnect.h
  262. sshconnect2.c
  263. sshd.8
  264. sshd.c
  265. sshd_config
  266. sshd_config.5
  267. ssherr.c
  268. ssherr.h
  269. sshkey-xmss.c
  270. sshkey-xmss.h
  271. sshkey.c
  272. sshkey.h
  273. sshlogin.c
  274. sshlogin.h
  275. sshpty.c
  276. sshpty.h
  277. sshtty.c
  278. survey.sh.in
  279. TODO
  280. ttymodes.c
  281. ttymodes.h
  282. uidswap.c
  283. uidswap.h
  284. umac.c
  285. umac.h
  286. umac128.c
  287. utf8.c
  288. utf8.h
  289. uuencode.c
  290. uuencode.h
  291. verify.c
  292. version.h
  293. xmalloc.c
  294. xmalloc.h
  295. xmss_commons.c
  296. xmss_commons.h
  297. xmss_fast.c
  298. xmss_fast.h
  299. xmss_hash.c
  300. xmss_hash.h
  301. xmss_hash_address.c
  302. xmss_hash_address.h
  303. xmss_wots.c
  304. xmss_wots.h