HostkeyAlgorithms + support seems broken [7.0]

Damien Miller djm at mindrot.org
Sat Aug 22 09:51:51 AEST 2015


On Fri, 21 Aug 2015, Bryan Drewery wrote:

> The `+' support for HostkeyAlgorithms seems wrong compared to the other
> configuration options; it replaces with literal +value.

Oops, yes - it's broken for the server.

> A similar problem exists with ssh_config:
> 
> # ssh -G user at 127.0.0.1|grep hostkeyalgorithms
> hostkeyalgorithms +ssh-dss

The client handles it correctly as far as key exchange goes, but doesn't
display the expanded set. This diff fixes both:


diff --git a/readconf.c b/readconf.c
index 374e741..23d74fb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
 	int i;
 	char vbuf[5];
 
+	/* This is normally prepared in ssh_kex2 */
+	if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+		fatal("%s: kex_assemble_names failed", __func__);
+
 	/* Most interesting options first: user, host, port */
 	dump_cfg_string(oUser, o->user);
 	dump_cfg_string(oHostName, host);
@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_string(oBindAddress, o->bind_address);
 	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
 	dump_cfg_string(oControlPath, o->control_path);
-	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
+	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
 	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
 	dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
 	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
diff --git a/servconf.c b/servconf.c
index 04404a4..08c8139 100644
--- a/servconf.c
+++ b/servconf.c
@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
 		options->hostbased_authentication = 0;
 	if (options->hostbased_uses_name_from_packet_only == -1)
 		options->hostbased_uses_name_from_packet_only = 0;
-	if (options->hostkeyalgorithms == NULL)
-		options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
 	if (options->rsa_authentication == -1)
 		options->rsa_authentication = 1;
 	if (options->pubkey_authentication == -1)
@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
 	    kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
 	    kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
+	    &options->hostkeyalgorithms) != 0 ||
+	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &options->hostbased_key_types) != 0 ||
 	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
 	    &options->pubkey_key_types) != 0)


More information about the openssh-unix-dev mailing list