options: Add option to set server accepted pubkey types

The added option SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES allows restricting the allowed public key types accepted by the server for authentication. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2025-11-27 13:21:11 +03:00 · 2019-05-15 11:48:49 +02:00
parent bc95a51710
commit f4363f5655
7 changed files with 136 additions and 11 deletions
--- a/src/options.c
+++ b/src/options.c
@@ -1608,6 +1608,10 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
 *                        paths of configuration files to
 *                        ssh_bind_options_parse_config().
 *
+ *                      - SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES:
+ *                        Set the public key algorithm accepted by the server
+ *                        (const char *, comma-separated list).
+ *
 * @param  value        The value to set. This is a generic pointer and the
 *                      datatype which should be used is described at the
 *                      corresponding value of type above.
@@ -1912,6 +1916,24 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
            }
        }
        break;
+    case SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES:
+        v = value;
+        if (v == NULL || v[0] == '\0') {
+            ssh_set_error_invalid(sshbind);
+            return -1;
+        } else {
+            p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+            if (p == NULL) {
+                ssh_set_error(sshbind, SSH_REQUEST_DENIED,
+                    "Setting method: no known public key algorithm (%s)",
+                     v);
+                return -1;
+            }
+
+            SAFE_FREE(sshbind->pubkey_accepted_key_types);
+            sshbind->pubkey_accepted_key_types = p;
+        }
+        break;
    default:
      ssh_set_error(sshbind, SSH_REQUEST_DENIED, "Unknown ssh option %d", type);
      return -1;