Patch: Ciphers, MACs and KexAlgorithms on Match
Armin Wolfermann
aw at osn.de
Fri Jun 6 18:15:40 EST 2014
Hi all,
this is a patch to make Ciphers, MACs and KexAlgorithms available in
Match blocks. Now I can reach a -current machine with some Android
terminal app without changing the default ciphers for all clients:
Match Address 192.168.1.2
Ciphers aes128-cbc
MACs hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha1
Index: servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.249
diff -u -p -u -r1.249 servconf.c
--- servconf.c 29 Jan 2014 06:18:35 -0000 1.249
+++ servconf.c 6 Jun 2014 08:04:06 -0000
@@ -399,8 +399,8 @@ static struct {
{ "denyusers", sDenyUsers, SSHCFG_ALL },
{ "allowgroups", sAllowGroups, SSHCFG_ALL },
{ "denygroups", sDenyGroups, SSHCFG_ALL },
- { "ciphers", sCiphers, SSHCFG_GLOBAL },
- { "macs", sMacs, SSHCFG_GLOBAL },
+ { "ciphers", sCiphers, SSHCFG_ALL },
+ { "macs", sMacs, SSHCFG_ALL },
{ "protocol", sProtocol, SSHCFG_GLOBAL },
{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
@@ -427,7 +427,7 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
@@ -1239,7 +1239,7 @@ process_server_config_line(ServerOptions
if (!ciphers_valid(arg))
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
- if (options->ciphers == NULL)
+ if (*activep && options->ciphers == NULL)
options->ciphers = xstrdup(arg);
break;
@@ -1250,7 +1250,7 @@ process_server_config_line(ServerOptions
if (!mac_valid(arg))
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
- if (options->macs == NULL)
+ if (*activep && options->macs == NULL)
options->macs = xstrdup(arg);
break;
@@ -1262,7 +1262,7 @@ process_server_config_line(ServerOptions
if (!kex_names_valid(arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
- if (options->kex_algorithms == NULL)
+ if (*activep && options->kex_algorithms == NULL)
options->kex_algorithms = xstrdup(arg);
break;
Index: servconf.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
retrieving revision 1.112
diff -u -p -u -r1.112 servconf.h
--- servconf.h 29 Jan 2014 06:18:35 -0000 1.112
+++ servconf.h 6 Jun 2014 08:04:06 -0000
@@ -209,6 +209,9 @@ struct connection_info {
M_CP_STROPT(authorized_principals_file); \
M_CP_STROPT(authorized_keys_command); \
M_CP_STROPT(authorized_keys_command_user); \
+ M_CP_STROPT(ciphers); \
+ M_CP_STROPT(macs); \
+ M_CP_STROPT(kex_algorithms); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
M_CP_STRARRAYOPT(deny_users, num_deny_users); \
Index: sshd.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.426
diff -u -p -u -r1.426 sshd.c
--- sshd.c 29 Apr 2014 18:01:49 -0000 1.426
+++ sshd.c 6 Jun 2014 08:04:06 -0000
@@ -1919,6 +1919,10 @@ main(int ac, char **av)
verbose("Connection from %s port %d on %s port %d",
remote_ip, remote_port,
get_local_ipaddr(sock_in), get_local_port());
+
+ /* Match configuration against the connection */
+ connection_info = get_connection_info(1, options.use_dns);
+ parse_server_match_config(&options, connection_info);
/*
* We don't want to listen forever unless the other side
Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.173
diff -u -p -u -r1.173 sshd_config.5
--- sshd_config.5 28 Mar 2014 05:17:11 -0000 1.173
+++ sshd_config.5 6 Jun 2014 08:04:06 -0000
@@ -896,6 +896,7 @@ Available keywords are
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
+.Cm Ciphers ,
.Cm DenyGroups ,
.Cm DenyUsers ,
.Cm ForceCommand ,
@@ -905,6 +906,8 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KexAlgorithms ,
+.Cm MACs ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
Regards,
Armin Wolfermann
More information about the openssh-unix-dev
mailing list