openssh unix dev - Jun 2014 - Patch: Ciphers, MACs and KexAlgorithms on Match

Hi all,

this is a patch to make Ciphers, MACs and KexAlgorithms available in
Match blocks. Now I can reach a -current machine with some Android
terminal app without changing the default ciphers for all clients:

Match Address 192.168.1.2
  Ciphers aes128-cbc
  MACs hmac-sha1
  KexAlgorithms diffie-hellman-group-exchange-sha1

Index: servconf.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.249
diff -u -p -u -r1.249 servconf.c
--- servconf.c	29 Jan 2014 06:18:35 -0000	1.249
+++ servconf.c	6 Jun 2014 08:04:06 -0000
@@ -399,8 +399,8 @@ static struct {
 	{ "denyusers", sDenyUsers, SSHCFG_ALL },
 	{ "allowgroups", sAllowGroups, SSHCFG_ALL },
 	{ "denygroups", sDenyGroups, SSHCFG_ALL },
-	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
-	{ "macs", sMacs, SSHCFG_GLOBAL },
+	{ "ciphers", sCiphers, SSHCFG_ALL },
+	{ "macs", sMacs, SSHCFG_ALL },
 	{ "protocol", sProtocol, SSHCFG_GLOBAL },
 	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
 	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
@@ -427,7 +427,7 @@ static struct {
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL
},
-	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+	{ "kexalgorithms", sKexAlgorithms, SSHCFG_ALL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser,
SSHCFG_ALL },
@@ -1239,7 +1239,7 @@ process_server_config_line(ServerOptions
 		if (!ciphers_valid(arg))
 			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
 			    filename, linenum, arg ? arg : "<NONE>");
-		if (options->ciphers == NULL)
+		if (*activep && options->ciphers == NULL)
 			options->ciphers = xstrdup(arg);
 		break;
 
@@ -1250,7 +1250,7 @@ process_server_config_line(ServerOptions
 		if (!mac_valid(arg))
 			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
 			    filename, linenum, arg ? arg : "<NONE>");
-		if (options->macs == NULL)
+		if (*activep && options->macs == NULL)
 			options->macs = xstrdup(arg);
 		break;
 
@@ -1262,7 +1262,7 @@ process_server_config_line(ServerOptions
 		if (!kex_names_valid(arg))
 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
 			    filename, linenum, arg ? arg : "<NONE>");
-		if (options->kex_algorithms == NULL)
+		if (*activep && options->kex_algorithms == NULL)
 			options->kex_algorithms = xstrdup(arg);
 		break;
 
Index: servconf.h
==================================================================RCS file:
/cvs/src/usr.bin/ssh/servconf.h,v
retrieving revision 1.112
diff -u -p -u -r1.112 servconf.h
--- servconf.h	29 Jan 2014 06:18:35 -0000	1.112
+++ servconf.h	6 Jun 2014 08:04:06 -0000
@@ -209,6 +209,9 @@ struct connection_info {
 		M_CP_STROPT(authorized_principals_file); \
 		M_CP_STROPT(authorized_keys_command); \
 		M_CP_STROPT(authorized_keys_command_user); \
+		M_CP_STROPT(ciphers); \
+		M_CP_STROPT(macs); \
+		M_CP_STROPT(kex_algorithms); \
 		M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
 		M_CP_STRARRAYOPT(allow_users, num_allow_users); \
 		M_CP_STRARRAYOPT(deny_users, num_deny_users); \
Index: sshd.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.426
diff -u -p -u -r1.426 sshd.c
--- sshd.c	29 Apr 2014 18:01:49 -0000	1.426
+++ sshd.c	6 Jun 2014 08:04:06 -0000
@@ -1919,6 +1919,10 @@ main(int ac, char **av)
 	verbose("Connection from %s port %d on %s port %d",
 	    remote_ip, remote_port,
 	    get_local_ipaddr(sock_in), get_local_port());
+	
+	/* Match configuration against the connection */
+	connection_info = get_connection_info(1, options.use_dns);
+	parse_server_match_config(&options, connection_info);
 
 	/*
 	 * We don't want to listen forever unless the other side
Index: sshd_config.5
==================================================================RCS file:
/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.173
diff -u -p -u -r1.173 sshd_config.5
--- sshd_config.5	28 Mar 2014 05:17:11 -0000	1.173
+++ sshd_config.5	6 Jun 2014 08:04:06 -0000
@@ -896,6 +896,7 @@ Available keywords are
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
+.Cm Ciphers ,
 .Cm DenyGroups ,
 .Cm DenyUsers ,
 .Cm ForceCommand ,
@@ -905,6 +906,8 @@ Available keywords are
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
+.Cm KexAlgorithms ,
+.Cm MACs ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,


Regards,
Armin Wolfermann

On Fri, 6 Jun 2014, Armin Wolfermann wrote:
> Hi all,
> 
> this is a patch to make Ciphers, MACs and KexAlgorithms available in
> Match blocks. Now I can reach a -current machine with some Android
> terminal app without changing the default ciphers for all clients:
> 
> Match Address 192.168.1.2
>   Ciphers aes128-cbc
>   MACs hmac-sha1
>   KexAlgorithms diffie-hellman-group-exchange-sha1
Unfortunately, this a a bit confusing - some Match criteria only work
after key exchange has completed. If users try something like

Match user djm
	Ciphers aes128-cbc

then it will never work. For this reason, we've made any any sshd_config
directives that must be applied before key exchange available by Match.

-d