Christian Weisgerber
2019-Mar-31 09:53 UTC
[PATCH] Place algorithm at head of default list
ssh_config(5) and sshd_config(5) already allow adding '+' and
removing '-' an algorithm from the default list. Oddly, I mostly
find myself wanting to prefer an algorithm, i.e., place it at the
head of the list without removing anything. The patch below adds
this ability. To prefer algorithms, prefix them with '^'. E.g.:
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm at openssh.com,aes256-gcm at openssh.com
Index: kex.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/kex.c,v
retrieving revision 1.150
diff -u -p -r1.150 kex.c
--- kex.c 21 Jan 2019 12:08:13 -0000 1.150
+++ kex.c 31 Mar 2019 09:21:04 -0000
@@ -202,8 +202,9 @@ kex_names_cat(const char *a, const char
/*
* Assemble a list of algorithms from a default list and a string from a
* configuration file. The user-provided string may begin with '+' to
- * indicate that it should be appended to the default or '-' that the
- * specified names should be removed.
+ * indicate that it should be appended to the default, '-' that the
+ * specified names should be removed, or '^' that they should be placed
+ * at the head.
*/
int
kex_assemble_names(char **listp, const char *def, const char *all)
@@ -237,6 +238,14 @@ kex_assemble_names(char **listp, const c
free(list);
/* filtering has already been done */
return 0;
+ } else if (*list == '^') {
+ /* Place names at head of default list */
+ if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto fail;
+ }
+ free(list);
+ list = tmp;
} else {
/* Explicit list, overrides default - just use "list" as is */
}
Index: readconf.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/readconf.c,v
retrieving revision 1.304
diff -u -p -r1.304 readconf.c
--- readconf.c 1 Mar 2019 02:08:50 -0000 1.304
+++ readconf.c 31 Mar 2019 08:59:57 -0000
@@ -1179,7 +1179,8 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg +
1 : arg))
+ if (*arg != '-' &&
+ !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 :
arg))
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->ciphers == NULL)
@@ -1190,7 +1191,8 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 :
arg))
+ if (*arg != '-' &&
+ !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->macs == NULL)
@@ -1203,7 +1205,8 @@ parse_int:
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ !kex_names_valid(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->kex_algorithms == NULL)
@@ -1218,7 +1221,8 @@ parse_keytypes:
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
Index: servconf.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.350
diff -u -p -r1.350 servconf.c
--- servconf.c 25 Mar 2019 22:33:44 -0000 1.350
+++ servconf.c 31 Mar 2019 08:59:14 -0000
@@ -1379,7 +1379,8 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
@@ -1650,7 +1651,8 @@ process_server_config_line(ServerOptions
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg +
1 : arg))
+ if (*arg != '-' &&
+ !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 :
arg))
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->ciphers == NULL)
@@ -1661,7 +1663,8 @@ process_server_config_line(ServerOptions
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 :
arg))
+ if (*arg != '-' &&
+ !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->macs == NULL)
@@ -1674,7 +1677,8 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ !kex_names_valid(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->kex_algorithms == NULL)
Index: ssh.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.500
diff -u -p -r1.500 ssh.c
--- ssh.c 19 Jan 2019 21:43:56 -0000 1.500
+++ ssh.c 31 Mar 2019 09:01:29 -0000
@@ -848,7 +848,7 @@ main(int ac, char **av)
}
break;
case 'c':
- if (!ciphers_valid(*optarg == '+' ?
+ if (!ciphers_valid(*optarg == '+' || *optarg == '^' ?
optarg + 1 : optarg)) {
fprintf(stderr, "Unknown cipher type '%s'\n",
optarg);
Index: ssh_config.5
==================================================================RCS file:
/cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.292
diff -u -p -r1.292 ssh_config.5
--- ssh_config.5 1 Mar 2019 02:16:47 -0000 1.292
+++ ssh_config.5 31 Mar 2019 09:40:24 -0000
@@ -430,6 +430,10 @@ If the specified value begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -794,6 +798,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -822,6 +830,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -1052,6 +1064,10 @@ If the specified value begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
The default is:
.Bd -literal -offset indent
curve25519-sha256,curve25519-sha256 at libssh.org,
@@ -1133,6 +1149,10 @@ If the specified value begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1290,6 +1310,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
Index: sshd_config.5
==================================================================RCS file:
/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.284
diff -u -p -r1.284 sshd_config.5
--- sshd_config.5 22 Mar 2019 20:58:34 -0000 1.284
+++ sshd_config.5 31 Mar 2019 09:41:21 -0000
@@ -466,6 +466,10 @@ If the specified value begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
.Pp
The supported ciphers are:
.Pp
@@ -680,6 +684,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -885,6 +893,10 @@ If the specified value begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -1002,6 +1014,10 @@ If the specified value begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1407,6 +1423,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified value begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
--
Christian "naddy" Weisgerber naddy at
mips.inka.de
no objection, but this and your scp change will have to wait until after release (both openssh-8.0 and OpenBSD-6.5) On Sun, 31 Mar 2019, Christian Weisgerber wrote:> ssh_config(5) and sshd_config(5) already allow adding '+' and > removing '-' an algorithm from the default list. Oddly, I mostly > find myself wanting to prefer an algorithm, i.e., place it at the > head of the list without removing anything. The patch below adds > this ability. To prefer algorithms, prefix them with '^'. E.g.: > > HostKeyAlgorithms ^ssh-ed25519 > Ciphers ^aes128-gcm at openssh.com,aes256-gcm at openssh.com > > > Index: kex.c > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/kex.c,v > retrieving revision 1.150 > diff -u -p -r1.150 kex.c > --- kex.c 21 Jan 2019 12:08:13 -0000 1.150 > +++ kex.c 31 Mar 2019 09:21:04 -0000 > @@ -202,8 +202,9 @@ kex_names_cat(const char *a, const char > /* > * Assemble a list of algorithms from a default list and a string from a > * configuration file. The user-provided string may begin with '+' to > - * indicate that it should be appended to the default or '-' that the > - * specified names should be removed. > + * indicate that it should be appended to the default, '-' that the > + * specified names should be removed, or '^' that they should be placed > + * at the head. > */ > int > kex_assemble_names(char **listp, const char *def, const char *all) > @@ -237,6 +238,14 @@ kex_assemble_names(char **listp, const c > free(list); > /* filtering has already been done */ > return 0; > + } else if (*list == '^') { > + /* Place names at head of default list */ > + if ((tmp = kex_names_cat(list + 1, def)) == NULL) { > + r = SSH_ERR_ALLOC_FAIL; > + goto fail; > + } > + free(list); > + list = tmp; > } else { > /* Explicit list, overrides default - just use "list" as is */ > } > Index: readconf.c > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/readconf.c,v > retrieving revision 1.304 > diff -u -p -r1.304 readconf.c > --- readconf.c 1 Mar 2019 02:08:50 -0000 1.304 > +++ readconf.c 31 Mar 2019 08:59:57 -0000 > @@ -1179,7 +1179,8 @@ parse_int: > arg = strdelim(&s); > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", filename, linenum); > - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) > + if (*arg != '-' && > + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->ciphers == NULL) > @@ -1190,7 +1191,8 @@ parse_int: > arg = strdelim(&s); > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", filename, linenum); > - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) > + if (*arg != '-' && > + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->macs == NULL) > @@ -1203,7 +1205,8 @@ parse_int: > fatal("%.200s line %d: Missing argument.", > filename, linenum); > if (*arg != '-' && > - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) > + !kex_names_valid(*arg == '+' || *arg == '^' ? > + arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->kex_algorithms == NULL) > @@ -1218,7 +1221,8 @@ parse_keytypes: > fatal("%.200s line %d: Missing argument.", > filename, linenum); > if (*arg != '-' && > - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) > + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? > + arg + 1 : arg, 1)) > fatal("%s line %d: Bad key types '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && *charptr == NULL) > Index: servconf.c > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/servconf.c,v > retrieving revision 1.350 > diff -u -p -r1.350 servconf.c > --- servconf.c 25 Mar 2019 22:33:44 -0000 1.350 > +++ servconf.c 31 Mar 2019 08:59:14 -0000 > @@ -1379,7 +1379,8 @@ process_server_config_line(ServerOptions > fatal("%s line %d: Missing argument.", > filename, linenum); > if (*arg != '-' && > - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) > + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? > + arg + 1 : arg, 1)) > fatal("%s line %d: Bad key types '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && *charptr == NULL) > @@ -1650,7 +1651,8 @@ process_server_config_line(ServerOptions > arg = strdelim(&cp); > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", filename, linenum); > - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) > + if (*arg != '-' && > + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 cipher spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->ciphers == NULL) > @@ -1661,7 +1663,8 @@ process_server_config_line(ServerOptions > arg = strdelim(&cp); > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", filename, linenum); > - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) > + if (*arg != '-' && > + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 mac spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->macs == NULL) > @@ -1674,7 +1677,8 @@ process_server_config_line(ServerOptions > fatal("%s line %d: Missing argument.", > filename, linenum); > if (*arg != '-' && > - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) > + !kex_names_valid(*arg == '+' || *arg == '^' ? > + arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->kex_algorithms == NULL) > Index: ssh.c > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/ssh.c,v > retrieving revision 1.500 > diff -u -p -r1.500 ssh.c > --- ssh.c 19 Jan 2019 21:43:56 -0000 1.500 > +++ ssh.c 31 Mar 2019 09:01:29 -0000 > @@ -848,7 +848,7 @@ main(int ac, char **av) > } > break; > case 'c': > - if (!ciphers_valid(*optarg == '+' ? > + if (!ciphers_valid(*optarg == '+' || *optarg == '^' ? > optarg + 1 : optarg)) { > fprintf(stderr, "Unknown cipher type '%s'\n", > optarg); > Index: ssh_config.5 > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v > retrieving revision 1.292 > diff -u -p -r1.292 ssh_config.5 > --- ssh_config.5 1 Mar 2019 02:16:47 -0000 1.292 > +++ ssh_config.5 31 Mar 2019 09:40:24 -0000 > @@ -430,6 +430,10 @@ If the specified value begins with a > .Sq - > character, then the specified ciphers (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified ciphers will be placed at the head of the > +default set. > .Pp > The supported ciphers are: > .Bd -literal -offset indent > @@ -794,6 +798,10 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified key types will be placed at the head of the > +default set. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > @@ -822,6 +830,10 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified key types will be placed at the head of the > +default set. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > @@ -1052,6 +1064,10 @@ If the specified value begins with a > .Sq - > character, then the specified methods (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified methods will be placed at the head of the > +default set. > The default is: > .Bd -literal -offset indent > curve25519-sha256,curve25519-sha256 at libssh.org, > @@ -1133,6 +1149,10 @@ If the specified value begins with a > .Sq - > character, then the specified algorithms (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified algorithms will be placed at the head of the > +default set. > .Pp > The algorithms that contain > .Qq -etm > @@ -1290,6 +1310,10 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified key types will be placed at the head of the > +default set. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > Index: sshd_config.5 > ==================================================================> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v > retrieving revision 1.284 > diff -u -p -r1.284 sshd_config.5 > --- sshd_config.5 22 Mar 2019 20:58:34 -0000 1.284 > +++ sshd_config.5 31 Mar 2019 09:41:21 -0000 > @@ -466,6 +466,10 @@ If the specified value begins with a > .Sq - > character, then the specified ciphers (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified ciphers will be placed at the head of the > +default set. > .Pp > The supported ciphers are: > .Pp > @@ -680,6 +684,10 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified key types will be placed at the head of the > +default set. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > @@ -885,6 +893,10 @@ If the specified value begins with a > .Sq - > character, then the specified methods (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified methods will be placed at the head of the > +default set. > The supported algorithms are: > .Pp > .Bl -item -compact -offset indent > @@ -1002,6 +1014,10 @@ If the specified value begins with a > .Sq - > character, then the specified algorithms (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified algorithms will be placed at the head of the > +default set. > .Pp > The algorithms that contain > .Qq -etm > @@ -1407,6 +1423,10 @@ If the specified value begins with a > .Sq - > character, then the specified key types (including wildcards) will be removed > from the default set instead of replacing them. > +If the specified value begins with a > +.Sq ^ > +character, then the specified key types will be placed at the head of the > +default set. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01 at openssh.com, > -- > Christian "naddy" Weisgerber naddy at mips.inka.de > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >