diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2015-01-26 03:04:47 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2015-01-26 03:04:47 +0000 |
| commit | eb39409bcc73a02ed00ce4a050ca400115a85aca (patch) | |
| tree | 3417642a1daec6e71a2156999d8626d947d63875 /usr.bin/ssh/readconf.c | |
| parent | ec70fe89ea2c7355199e5eda04e830bb613137cb (diff) | |
Host key rotation support.
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
Diffstat (limited to 'usr.bin/ssh/readconf.c')
| -rw-r--r-- | usr.bin/ssh/readconf.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index eabfa3c739e..5b330e19f76 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.228 2015/01/16 06:40:12 deraadt Exp $ */ +/* $OpenBSD: readconf.c,v 1.229 2015/01/26 03:04:45 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -145,7 +145,7 @@ typedef enum { oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, - oFingerprintHash, + oFingerprintHash, oUpdateHostkeys, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -262,6 +262,7 @@ static struct { { "streamlocalbindunlink", oStreamLocalBindUnlink }, { "revokedhostkeys", oRevokedHostKeys }, { "fingerprinthash", oFingerprintHash }, + { "updatehostkeys", oUpdateHostkeys }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -1464,6 +1465,10 @@ parse_int: *intptr = value; break; + case oUpdateHostkeys: + intptr = &options->update_hostkeys; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1642,6 +1647,7 @@ initialize_options(Options * options) options->canonicalize_hostname = -1; options->revoked_host_keys = NULL; options->fingerprint_hash = -1; + options->update_hostkeys = -1; } /* @@ -1819,6 +1825,8 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->update_hostkeys == -1) + options->update_hostkeys = 1; #define CLEAR_ON_NONE(v) \ do { \ @@ -2242,6 +2250,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port); dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); + dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); /* Integer options */ dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); |