[openssh-commits] [openssh] 04/06: upstream: support multiple files in a sshd_config RevokedKeys
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Feb 12 10:30:32 AEDT 2026
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 135a62238a479c7369f2b2d5dafb921ddc1c2b74
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Feb 11 22:57:16 2026 +0000
upstream: support multiple files in a sshd_config RevokedKeys
directive bz3918; ok dtucker
OpenBSD-Commit-ID: 9fc58c4e676f8e9ed2e3a0da666242a17b8a55b2
---
auth.c | 34 +++++++++++++++++++---------------
servconf.c | 34 +++++++++++++++++++++++++---------
servconf.h | 8 +++++---
3 files changed, 49 insertions(+), 27 deletions(-)
diff --git a/auth.c b/auth.c
index ad7c5774e..a0217a811 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.163 2025/09/15 04:39:15 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.164 2026/02/11 22:57:16 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -545,9 +545,10 @@ int
auth_key_is_revoked(struct sshkey *key)
{
char *fp = NULL;
+ u_int i;
int r;
- if (options.revoked_keys_file == NULL)
+ if (options.num_revoked_keys_files == 0)
return 0;
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL) {
@@ -556,19 +557,22 @@ auth_key_is_revoked(struct sshkey *key)
goto out;
}
- r = sshkey_check_revoked(key, options.revoked_keys_file);
- switch (r) {
- case 0:
- break; /* not revoked */
- case SSH_ERR_KEY_REVOKED:
- error("Authentication key %s %s revoked by file %s",
- sshkey_type(key), fp, options.revoked_keys_file);
- goto out;
- default:
- error_r(r, "Error checking authentication key %s %s in "
- "revoked keys file %s", sshkey_type(key), fp,
- options.revoked_keys_file);
- goto out;
+ for (i = 0; i < options.num_revoked_keys_files; i++) {
+ r = sshkey_check_revoked(key, options.revoked_keys_files[i]);
+ switch (r) {
+ case 0:
+ break; /* not revoked */
+ case SSH_ERR_KEY_REVOKED:
+ error("Authentication key %s %s revoked by file %s",
+ sshkey_type(key), fp,
+ options.revoked_keys_files[i]);
+ goto out;
+ default:
+ error_r(r, "Error checking authentication key %s %s in "
+ "revoked keys file %s", sshkey_type(key), fp,
+ options.revoked_keys_files[i]);
+ goto out;
+ }
}
/* Success */
diff --git a/servconf.c b/servconf.c
index 252e49ccb..a43995fdd 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.443 2025/12/19 01:26:39 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.444 2026/02/11 22:57:16 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -193,7 +193,8 @@ initialize_server_options(ServerOptions *options)
options->chroot_directory = NULL;
options->authorized_keys_command = NULL;
options->authorized_keys_command_user = NULL;
- options->revoked_keys_file = NULL;
+ options->revoked_keys_files = NULL;
+ options->num_revoked_keys_files = 0;
options->sk_provider = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
@@ -518,7 +519,6 @@ fill_default_server_options(ServerOptions *options)
CLEAR_ON_NONE(options->xauth_location);
CLEAR_ON_NONE(options->banner);
CLEAR_ON_NONE(options->trusted_user_ca_keys);
- CLEAR_ON_NONE(options->revoked_keys_file);
CLEAR_ON_NONE(options->sk_provider);
CLEAR_ON_NONE(options->authorized_principals_file);
CLEAR_ON_NONE(options->adm_forced_command);
@@ -534,6 +534,8 @@ fill_default_server_options(ServerOptions *options)
CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
CLEAR_ON_NONE_ARRAY(auth_methods, num_auth_methods, "any");
+ CLEAR_ON_NONE_ARRAY(revoked_keys_files, num_revoked_keys_files, "none");
+ CLEAR_ON_NONE_ARRAY(authorized_keys_files, num_authkeys_files, "none");
#undef CLEAR_ON_NONE
#undef CLEAR_ON_NONE_ARRAY
}
@@ -2191,13 +2193,25 @@ process_server_config_line_depth(ServerOptions *options, char *line,
* AuthorizedKeysFile /etc/ssh_keys/%u
*/
case sAuthorizedKeysFile:
- found = options->num_authkeys_files == 0;
+ uintptr = &options->num_authkeys_files;
+ chararrayptr = &options->authorized_keys_files;
+ parse_filenames:
+ found = *uintptr == 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
if (*arg == '\0') {
error("%s line %d: keyword %s empty argument",
filename, linenum, keyword);
goto out;
}
+ /* Allow "none" only in first position */
+ if (strcasecmp(arg, "none") == 0) {
+ if (nstrs > 0 || ac > 0) {
+ error("%s line %d: keyword %s \"none\" "
+ "argument must appear alone.",
+ filename, linenum, keyword);
+ goto out;
+ }
+ }
arg2 = tilde_expand_filename(arg, getuid());
opt_array_append(filename, linenum, keyword,
&strs, &nstrs, arg2);
@@ -2208,8 +2222,8 @@ process_server_config_line_depth(ServerOptions *options, char *line,
filename, linenum, keyword);
}
if (found && *activep) {
- options->authorized_keys_files = strs;
- options->num_authkeys_files = nstrs;
+ *chararrayptr = strs;
+ *uintptr = nstrs;
strs = NULL; /* transferred */
nstrs = 0;
}
@@ -2500,8 +2514,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
goto parse_filename;
case sRevokedKeys:
- charptr = &options->revoked_keys_file;
- goto parse_filename;
+ uintptr = &options->num_revoked_keys_files;
+ chararrayptr = &options->revoked_keys_files;
+ goto parse_filenames;
case sSecurityKeyProvider:
charptr = &options->sk_provider;
@@ -3314,7 +3329,6 @@ dump_config(ServerOptions *o)
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
- dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
@@ -3344,6 +3358,8 @@ dump_config(ServerOptions *o)
/* string array arguments */
dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
o->authorized_keys_files);
+ dump_cfg_strarray_oneline(sRevokedKeys, o->num_revoked_keys_files,
+ o->revoked_keys_files);
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
o->host_key_files);
dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
diff --git a/servconf.h b/servconf.h
index f588f02e9..178dd1998 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.174 2025/12/19 01:27:19 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.175 2026/02/11 22:57:16 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -223,7 +223,8 @@ typedef struct {
u_int num_permitted_listens;
char *chroot_directory;
- char *revoked_keys_file;
+ uint num_revoked_keys_files;
+ char **revoked_keys_files;
char *trusted_user_ca_keys;
char *authorized_keys_command;
char *authorized_keys_command_user;
@@ -291,7 +292,6 @@ TAILQ_HEAD(include_list, include_item);
#define COPY_MATCH_STRING_OPTS() do { \
M_CP_STROPT(banner); \
M_CP_STROPT(trusted_user_ca_keys); \
- M_CP_STROPT(revoked_keys_file); \
M_CP_STROPT(authorized_keys_command); \
M_CP_STROPT(authorized_keys_command_user); \
M_CP_STROPT(authorized_principals_file); \
@@ -304,6 +304,8 @@ TAILQ_HEAD(include_list, include_item);
M_CP_STROPT(permit_user_env_allowlist); \
M_CP_STROPT(pam_service_name); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files, 1);\
+ M_CP_STRARRAYOPT(revoked_keys_files, \
+ num_revoked_keys_files, 1); \
M_CP_STRARRAYOPT(allow_users, num_allow_users, 1); \
M_CP_STRARRAYOPT(deny_users, num_deny_users, 1); \
M_CP_STRARRAYOPT(allow_groups, num_allow_groups, 1); \
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list