diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2022-09-17 12:33:18 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-09-17 12:39:02 +0200 |
| commit | 54b333d12e55e6560b328c737d514ff3511f1afd (patch) | |
| tree | a146a4a4f3413d2003e573de1f7085823a2f306c /sshconnect2.c | |
| parent | upstream: Add a sshkey_check_rsa_length() call for checking the (diff) | |
| download | openssh-54b333d12e55e6560b328c737d514ff3511f1afd.tar.xz openssh-54b333d12e55e6560b328c737d514ff3511f1afd.zip | |
upstream: add a RequiredRSASize for checking RSA key length in
ssh(1). User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then the connection
will be terminated (unfortunately there are no fallbacks in the protocol for
host authentication).
feedback deraadt, Dmitry Belyavskiy; ok markus@
OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index f9bd19ea7..58fe98db2 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.360 2022/08/19 06:07:47 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -96,6 +96,11 @@ static const struct ssh_conn_info *xxx_conn_info; static int verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) { + int r; + + if ((r = sshkey_check_rsa_length(hostkey, + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, xxx_conn_info) == -1) fatal("Host key verification failed."); @@ -1606,6 +1611,13 @@ load_identity_file(Identity *id) private = NULL; quit = 1; } + if (!quit && (r = sshkey_check_rsa_length(private, + options.required_rsa_size)) != 0) { + debug_fr(r, "Skipping key %s", id->filename); + sshkey_free(private); + private = NULL; + quit = 1; + } if (!quit && private != NULL && id->agent_fd == -1 && !(id->key && id->isprivate)) maybe_add_key_to_agent(id->filename, private, comment, @@ -1752,6 +1764,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt) /* list of keys supported by the agent */ if ((r = get_agent_identities(ssh, &agent_fd, &idlist)) == 0) { for (j = 0; j < idlist->nkeys; j++) { + if ((r = sshkey_check_rsa_length(idlist->keys[j], + options.required_rsa_size)) != 0) { + debug_fr(r, "ignoring %s agent key", + sshkey_ssh_name(idlist->keys[j])); + continue; + } found = 0; TAILQ_FOREACH(id, &files, next) { /* |