diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2022-09-17 12:34:29 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-09-17 12:39:02 +0200 |
| commit | 1875042c52a3b950ae5963c9ca3774a4cc7f0380 (patch) | |
| tree | 565cb2e51ec10a389be85eab619cd379d83545ea /servconf.c | |
| parent | upstream: add a RequiredRSASize for checking RSA key length in (diff) | |
| download | openssh-1875042c52a3b950ae5963c9ca3774a4cc7f0380.tar.xz openssh-1875042c52a3b950ae5963c9ca3774a4cc7f0380.zip | |
upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
beneath this limit will be ignored for user and host-based authentication.
Feedback deraadt@ ok markus@
OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 29df0463d..423772b15 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.385 2022/06/03 04:30:47 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.386 2022/09/17 10:34:29 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options) options->fingerprint_hash = -1; options->disable_forwarding = -1; options->expose_userauth_info = -1; + options->required_rsa_size = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -441,6 +442,8 @@ fill_default_server_options(ServerOptions *options) options->expose_userauth_info = 0; if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); + if (options->required_rsa_size == -1) + options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; assemble_algorithms(options); @@ -517,6 +520,7 @@ typedef enum { sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, + sRequiredRSASize, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -676,6 +680,7 @@ static struct { { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -2438,6 +2443,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, *charptr = xstrdup(arg); break; + case sRequiredRSASize: + intptr = &options->required_rsa_size; + goto parse_int; + case sDeprecated: case sIgnore: case sUnsupported: @@ -2610,6 +2619,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); M_CP_INTOPT(log_level); + M_CP_INTOPT(required_rsa_size); /* * The bind_mask is a mode_t that may be unsigned, so we can't use @@ -2874,6 +2884,7 @@ dump_config(ServerOptions *o) dump_cfg_int(sMaxSessions, o->max_sessions); dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); + dump_cfg_int(sRequiredRSASize, o->required_rsa_size); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); /* formatted integer arguments */ |