diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2002-11-07 22:08:08 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2002-11-07 22:08:08 +0000 |
| commit | c8bbe0feb4ebc9bf4fef4d4fe8fb9fe23a856145 (patch) | |
| tree | 1d30261814e18fd1bcac57ea432cdafdb1735692 | |
| parent | 178091a95d08dfe89500e08ea6f61a0a548a594b (diff) | |
we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de
| -rw-r--r-- | usr.bin/ssh/readconf.c | 11 | ||||
| -rw-r--r-- | usr.bin/ssh/readconf.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keysign.8 | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keysign.c | 6 |
4 files changed, 18 insertions, 7 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index f07c89aa95c..fbe4a2b33ea 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.101 2002/11/07 22:08:07 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -114,6 +114,7 @@ typedef enum { oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oDeprecated } OpCodes; @@ -185,6 +186,7 @@ static struct { { "bindaddress", oBindAddress }, { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, + { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, { NULL, oBadOption } }; @@ -667,6 +669,10 @@ parse_int: *intptr = value; break; + case oEnableSSHKeysign: + intptr = &options->enable_ssh_keysign; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -790,6 +796,7 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; + options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; } @@ -905,6 +912,8 @@ fill_default_options(Options * options) clear_forwardings(options); if (options->no_host_authentication_for_localhost == - 1) options->no_host_authentication_for_localhost = 0; + if (options->enable_ssh_keysign == -1) + options->enable_ssh_keysign = 0; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 92af535d04c..bc5968843b8 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.44 2002/11/07 22:08:07 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -99,6 +99,8 @@ typedef struct { int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; int clear_forwardings; + + int enable_ssh_keysign; int no_host_authentication_for_localhost; } Options; diff --git a/usr.bin/ssh/ssh-keysign.8 b/usr.bin/ssh/ssh-keysign.8 index cea4a8244a6..9a87731f9ee 100644 --- a/usr.bin/ssh/ssh-keysign.8 +++ b/usr.bin/ssh/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.4 2002/11/07 22:08:07 markus Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -42,7 +42,7 @@ is disabled by default and can only be enabled in the the global client configuration file .Pa /etc/ssh/ssh_config by setting -.Cm HostbasedAuthentication +.Cm EnableSSHKeysign to .Dq yes . .Pp diff --git a/usr.bin/ssh/ssh-keysign.c b/usr.bin/ssh/ssh-keysign.c index f76cfcc6566..aa0815381cb 100644 --- a/usr.bin/ssh/ssh-keysign.c +++ b/usr.bin/ssh/ssh-keysign.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.8 2002/11/07 22:08:07 markus Exp $"); #include <openssl/evp.h> #include <openssl/rand.h> @@ -158,8 +158,8 @@ main(int argc, char **argv) initialize_options(&options); (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options); fill_default_options(&options); - if (options.hostbased_authentication != 1) - fatal("Hostbased authentication not enabled in %s", + if (options.enable_ssh_keysign != 1) + fatal("ssh-keysign not enabled in %s", _PATH_HOST_CONFIG_FILE); if (key_fd[0] == -1 && key_fd[1] == -1) |