[openssh-commits] [openssh] 05/08: upstream: Add ModuliFile keyword to sshd_config to specify the

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Mar 13 13:55:09 AEDT 2021


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 88057eb6df912abf2678ea5c846d9d9cbc92752c
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Fri Mar 12 04:08:19 2021 +0000

    upstream: Add ModuliFile keyword to sshd_config to specify the
    
    location of the "moduli" file containing the groups for DH-GEX.  This will
    allow us to run tests against arbitrary moduli files without having to
    install them. ok djm@
    
    OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
---
 dh.c          | 23 ++++++++++++++++++-----
 dh.h          |  3 ++-
 servconf.c    | 12 ++++++++++--
 servconf.h    |  3 ++-
 sshd.c        |  6 +++++-
 sshd_config.5 | 14 ++++++++++++--
 6 files changed, 49 insertions(+), 12 deletions(-)

diff --git a/dh.c b/dh.c
index b5bb35e4..82590f68 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.72 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: dh.c,v 1.73 2021/03/12 04:08:19 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  *
@@ -45,6 +45,18 @@
 
 #include "openbsd-compat/openssl-compat.h"
 
+static const char *moduli_filename;
+
+void dh_set_moduli_file(const char *filename)
+{
+	moduli_filename = filename;
+}
+
+static const char * get_moduli_filename(void)
+{
+	return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
+}
+
 static int
 parse_prime(int linenum, char *line, struct dhgroup *dhg)
 {
@@ -152,9 +164,9 @@ choose_dh(int min, int wantbits, int max)
 	int best, bestcount, which, linenum;
 	struct dhgroup dhg;
 
-	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+	if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
 		logit("WARNING: could not open %s (%s), using fixed modulus",
-		    _PATH_DH_MODULI, strerror(errno));
+		    get_moduli_filename(), strerror(errno));
 		return (dh_new_group_fallback(max));
 	}
 
@@ -185,7 +197,8 @@ choose_dh(int min, int wantbits, int max)
 
 	if (bestcount == 0) {
 		fclose(f);
-		logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
+		logit("WARNING: no suitable primes in %s",
+		    get_moduli_filename());
 		return (dh_new_group_fallback(max));
 	}
 	which = arc4random_uniform(bestcount);
@@ -210,7 +223,7 @@ choose_dh(int min, int wantbits, int max)
 	fclose(f);
 	if (bestcount != which + 1) {
 		logit("WARNING: selected prime disappeared in %s, giving up",
-		    _PATH_DH_MODULI);
+		    get_moduli_filename());
 		return (dh_new_group_fallback(max));
 	}
 
diff --git a/dh.h b/dh.h
index 5d6df629..c6326a39 100644
--- a/dh.h
+++ b/dh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.18 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: dh.h,v 1.19 2021/03/12 04:08:19 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
@@ -47,6 +47,7 @@ int	 dh_gen_key(DH *, int);
 int	 dh_pub_is_valid(const DH *, const BIGNUM *);
 
 u_int	 dh_estimate(int);
+void	 dh_set_moduli_file(const char *);
 
 /*
  * Max value from RFC4419.
diff --git a/servconf.c b/servconf.c
index 9695583a..4cc936dd 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.377 2021/02/24 01:18:08 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.378 2021/03/12 04:08:19 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -305,6 +305,8 @@ fill_default_server_options(ServerOptions *options)
 		add_listen_addr(options, NULL, NULL, 0);
 	if (options->pid_file == NULL)
 		options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
+	if (options->moduli_file == NULL)
+		options->moduli_file = xstrdup(_PATH_DH_MODULI);
 	if (options->login_grace_time == -1)
 		options->login_grace_time = 120;
 	if (options->permit_root_login == PERMIT_NOT_SET)
@@ -500,7 +502,7 @@ typedef enum {
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
+	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
@@ -548,6 +550,7 @@ static struct {
 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
 	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
+	{ "modulifile", sModuliFile, SSHCFG_GLOBAL },
 	{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
 	{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
@@ -1451,6 +1454,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		}
 		break;
 
+	case sModuliFile:
+		charptr = &options->moduli_file;
+		goto parse_filename;
+
 	case sPermitRootLogin:
 		intptr = &options->permit_root_login;
 		multistate_ptr = multistate_permitrootlogin;
@@ -2875,6 +2882,7 @@ dump_config(ServerOptions *o)
 
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
+	dump_cfg_string(sModuliFile, o->moduli_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
 	dump_cfg_string(sCiphers, o->ciphers);
 	dump_cfg_string(sMacs, o->macs);
diff --git a/servconf.h b/servconf.h
index 4f4fd9ba..3ce9284f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.151 2021/01/26 05:32:21 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.152 2021/03/12 04:08:19 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -93,6 +93,7 @@ typedef struct {
 
 	char   *host_key_agent;		/* ssh-agent socket for host keys. */
 	char   *pid_file;		/* Where to put our pid */
+	char   *moduli_file;		/* moduli file for DH-GEX */
 	int     login_grace_time;	/* Disconnect if no auth in this time
 					 * (sec). */
 	int     permit_root_login;	/* PERMIT_*, see above */
diff --git a/sshd.c b/sshd.c
index 6277e6d6..bda7455f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.570 2021/02/05 02:20:23 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.571 2021/03/12 04:08:19 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -124,6 +124,7 @@
 #include "ssherr.h"
 #include "sk-api.h"
 #include "srclimit.h"
+#include "dh.h"
 
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
@@ -1724,6 +1725,9 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    cfg, &includes, NULL);
 
+	if (options.moduli_file != NULL)
+		dh_set_moduli_file(options.moduli_file);
+
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
diff --git a/sshd_config.5 b/sshd_config.5
index 3db9353c..c3a67e18 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.328 2021/02/27 23:42:37 djm Exp $
-.Dd $Mdocdate: February 27 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.329 2021/03/12 04:08:19 dtucker Exp $
+.Dd $Mdocdate: March 12 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1256,6 +1256,16 @@ will refuse connection attempts with a probability of rate/100 (30%)
 if there are currently start (10) unauthenticated connections.
 The probability increases linearly and all connection attempts
 are refused if the number of unauthenticated connections reaches full (60).
+.It Cm ModuliFile
+Specifies the
+.Xr moduli 5
+file that contains the Diffie-Hellman groups used for the
+.Dq diffie-hellman-group-exchange-sha1
+and
+.Dq diffie-hellman-group-exchange-sha256
+key exchange methods.
+The default is
+.Pa /etc/moduli .
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list