options: The new option SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES

This option allows to specify acceptable public key algorithms and reflects the PubkeyAcceptedTypes configuration option from OpenSSH. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-07 11:25:27 +02:00 · 2018-08-07 11:25:27 +02:00 · 4521ab73b6
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@ -404,6 +404,7 @@ enum ssh_options_e {
  SSH_OPTIONS_GSSAPI_AUTH,
  SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
  SSH_OPTIONS_NODELAY,
+  SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
 };

 enum {
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@ -204,6 +204,7 @@ struct ssh_session_struct {
        char *knownhosts;
        char *global_knownhosts;
        char *wanted_methods[10];
+        char *pubkey_accepted_types;
        char *ProxyCommand;
        char *custombanner;
        unsigned long timeout; /* seconds */
--- a/src/options.c
+++ b/src/options.c
@ -147,6 +147,14 @@ int ssh_options_copy(ssh_session src, ssh_session *dest) {
            return -1;
        }
    }
+
+    if (src->opts.pubkey_accepted_types != NULL) {
+        new->opts.pubkey_accepted_types = strdup(src->opts.pubkey_accepted_types);
+        if (new->opts.pubkey_accepted_types == NULL) {
+            ssh_free(new);
+            return -1;
+        }
+    }
    new->opts.fd                   = src->opts.fd;
    new->opts.port                 = src->opts.port;
    new->opts.timeout              = src->opts.timeout;
@ -343,6 +351,11 @@ int ssh_options_set_algo(ssh_session session,
 *                comma-separated list). ex:
 *                "ssh-rsa,ssh-dss,ecdh-sha2-nistp256"
 *
+ *              - SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES:
+ *                Set the preferred public key algorithms to be used for
+ *                authentication (const char *, comma-separated list). ex:
+ *                "ssh-rsa,rsa-sha2-256,ssh-dss,ecdh-sha2-nistp256"
+ *
 *              - SSH_OPTIONS_COMPRESSION_C_S:
 *                Set the compression to use for client to server
 *                communication (const char *, "yes", "no" or a specific
@ -743,6 +756,24 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                    return -1;
            }
            break;
+        case SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES:
+            v = value;
+            if (v == NULL || v[0] == '\0') {
+                ssh_set_error_invalid(session);
+                return -1;
+            } else {
+                p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+                if (p == NULL) {
+                    ssh_set_error(session, SSH_REQUEST_DENIED,
+                        "Setting method: no known public key algorithm (%s)",
+                         v);
+                    return -1;
+                }
+
+                SAFE_FREE(session->opts.pubkey_accepted_types);
+                session->opts.pubkey_accepted_types = p;
+            }
+            break;
        case SSH_OPTIONS_HMAC_C_S:
            v = value;
            if (v == NULL || v[0] == '\0') {
--- a/src/session.c
+++ b/src/session.c
@ -282,6 +282,7 @@ void ssh_free(ssh_session session) {
  SAFE_FREE(session->opts.ProxyCommand);
  SAFE_FREE(session->opts.gss_server_identity);
  SAFE_FREE(session->opts.gss_client_identity);
+  SAFE_FREE(session->opts.pubkey_accepted_types);

  for (i = 0; i < 10; i++) {
      if (session->opts.wanted_methods[i]) {