options: Added an option to set server HostKey algorithms

The added option SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS allows restricting the signature algorithms to offer to the client for host authentication. The list set is used as a filter of allowed algorithms. First a list of possible signature algorithms to offer is created from the keys set and then such list is filtered against the allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2025-11-29 01:03:57 +03:00 · 2019-05-17 11:38:43 +02:00
parent 8f6e6f774e
commit 250a0be0f9
4 changed files with 161 additions and 64 deletions
--- a/src/options.c
+++ b/src/options.c
@@ -1612,6 +1612,15 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
 *                        Set the public key algorithm accepted by the server
 *                        (const char *, comma-separated list).
 *
+ *                      - SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS:
+ *                        Set the list of allowed hostkey signatures algorithms
+ *                        to offer to the client, ordered by preference. This
+ *                        list is used as a filter when creating the list of
+ *                        algorithms to offer to the client: first the list of
+ *                        possible algorithms is created from the list of keys
+ *                        set and then filtered against this list.
+ *                        (const char *, comma-separated list).
+ *
 * @param  value        The value to set. This is a generic pointer and the
 *                      datatype which should be used is described at the
 *                      corresponding value of type above.
@@ -1934,6 +1943,18 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
            sshbind->pubkey_accepted_key_types = p;
        }
        break;
+    case SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS:
+        v = value;
+        if (v == NULL || v[0] == '\0') {
+            ssh_set_error_invalid(sshbind);
+            return -1;
+        } else {
+            rc = ssh_bind_set_algo(sshbind, SSH_HOSTKEYS, v);
+            if (rc < 0) {
+                return -1;
+            }
+        }
+        break;
    default:
      ssh_set_error(sshbind, SSH_REQUEST_DENIED, "Unknown ssh option %d", type);
      return -1;