From 203d20aeb89e513b71624d0c12952352e6ca3525 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Fri, 2 Nov 2018 12:49:03 +0100 Subject: ssh: Fix SSH_MSG_EXT_INFO bug for OTP SSH as client The message could not be received in connected state --- lib/ssh/src/ssh_connection_handler.erl | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib/ssh') diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl index 36152bacf7..84719ebc97 100644 --- a/lib/ssh/src/ssh_connection_handler.erl +++ b/lib/ssh/src/ssh_connection_handler.erl @@ -952,6 +952,10 @@ handle_event(_, #ssh_msg_userauth_info_request{}, {userauth_keyboard_interactive %%% ######## {connected, client|server} #### +%% Skip ext_info messages in connected state (for example from OpenSSH >= 7.7) +handle_event(_, #ssh_msg_ext_info{}, {connected,_Role}, D) -> + {keep_state, D}; + handle_event(_, {#ssh_msg_kexinit{},_}, {connected,Role}, D0) -> {KeyInitMsg, SshPacket, Ssh} = ssh_transport:key_exchange_init_msg(D0#data.ssh_params), D = D0#data{ssh_params = Ssh, -- cgit v1.2.3 From 434090c14c0d1692c3eaeebb97c9b86c3dff01a5 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 7 Nov 2018 15:01:39 +0100 Subject: ssh: Fix SSH_MSG_EXT_INFO bug for OTP SSH as server The wrong set of supported public keys was sent to the client. --- lib/ssh/src/ssh_transport.erl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/ssh') diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl index edc927e807..6820f534cb 100644 --- a/lib/ssh/src/ssh_transport.erl +++ b/lib/ssh/src/ssh_transport.erl @@ -772,8 +772,7 @@ ext_info_message(#ssh{role=server, send_ext_info=true, opts = Opts} = Ssh0) -> AlgsList = lists:map(fun erlang:atom_to_list/1, - proplists:get_value(public_key, - ?GET_OPT(preferred_algorithms, Opts))), + ?GET_OPT(pref_public_key_algs, Opts)), Msg = #ssh_msg_ext_info{nr_extensions = 1, data = [{"server-sig-algs", string:join(AlgsList,",")}] }, -- cgit v1.2.3 From a53a4d0bae3e39877f3edf4c0f33a350b34a8137 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 7 Nov 2018 15:02:22 +0100 Subject: ssh: Fix ssh_options checking for ext_info A bug for SSH_MSG_EXT_INFO was fixed both for client and server. Before that fix, wrong option was read for the information sent to the peer. This commit adapts the option checking so that the correct option now used is available not only for servers but also for clients. --- lib/ssh/src/ssh_options.erl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'lib/ssh') diff --git a/lib/ssh/src/ssh_options.erl b/lib/ssh/src/ssh_options.erl index 1e10f72956..3417466c4d 100644 --- a/lib/ssh/src/ssh_options.erl +++ b/lib/ssh/src/ssh_options.erl @@ -445,12 +445,6 @@ default(client) -> class => user_options }, - {pref_public_key_algs, def} => - #{default => ssh_transport:default_algorithms(public_key), - chk => fun check_pref_public_key_algs/1, - class => user_options - }, - {dh_gex_limits, def} => #{default => {1024, 6144, 8192}, % FIXME: Is this true nowadays? chk => fun({Min,I,Max}) -> @@ -516,6 +510,12 @@ default(common) -> class => user_options }, + {pref_public_key_algs, def} => + #{default => ssh_transport:default_algorithms(public_key), + chk => fun check_pref_public_key_algs/1, + class => user_options + }, + {preferred_algorithms, def} => #{default => ssh:default_algorithms(), chk => fun check_preferred_algorithms/1, -- cgit v1.2.3 From c37c4814295aedfc416ec8739bd1b8af8425bace Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 7 Nov 2018 15:00:54 +0100 Subject: ssh: Fix documentation for public key in ext_info --- lib/ssh/doc/src/ssh.xml | 32 ++++++++++++++++---------------- lib/ssh/src/ssh.hrl | 7 +++---- 2 files changed, 19 insertions(+), 20 deletions(-) (limited to 'lib/ssh') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index e31d630ebf..8435fced11 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -182,22 +182,6 @@ - - - -

List of user (client) public key algorithms to try to use.

-

The default value is the public_key entry in the list returned by - ssh:default_algorithms/0. -

-

If there is no public key of a specified type available, the corresponding entry is ignored. - Note that the available set is dependent on the underlying cryptolib and current user's public keys. -

-

See also the option user_dir - for specifying the path to the user's keys. -

- - - @@ -793,6 +777,22 @@ + + + +

List of user (client) public key algorithms to try to use.

+

The default value is the public_key entry in the list returned by + ssh:default_algorithms/0. +

+

If there is no public key of a specified type available, the corresponding entry is ignored. + Note that the available set is dependent on the underlying cryptolib and current user's public keys. +

+

See also the option user_dir + for specifying the path to the user's keys. +

+ + + diff --git a/lib/ssh/src/ssh.hrl b/lib/ssh/src/ssh.hrl index 233f3caa5d..f645201c4f 100644 --- a/lib/ssh/src/ssh.hrl +++ b/lib/ssh/src/ssh.hrl @@ -182,6 +182,7 @@ | ssh_msg_debug_fun_common_option() | rekey_limit_common_option() | id_string_common_option() + | pref_public_key_algs_common_option() | preferred_algorithms_common_option() | modify_algorithms_common_option() | auth_methods_common_option() @@ -209,6 +210,7 @@ {ssh_msg_debug_fun, fun((ssh:connection_ref(),AlwaysDisplay::boolean(),Msg::binary(),LanguageTag::binary()) -> any()) } . -type id_string_common_option() :: {id_string, string() | random | {random,Nmin::pos_integer(),Nmax::pos_integer()} }. +-type pref_public_key_algs_common_option() :: {pref_public_key_algs, [pubkey_alg()] } . -type preferred_algorithms_common_option():: {preferred_algorithms, algs_list()}. -type modify_algorithms_common_option() :: {modify_algorithms, modify_algs_list()}. -type auth_methods_common_option() :: {auth_methods, string() }. @@ -227,8 +229,7 @@ -type client_option() :: - pref_public_key_algs_client_option() - | ssh_file:pubkey_passphrase_client_options() + ssh_file:pubkey_passphrase_client_options() | host_accepting_client_options() | authentication_client_options() | diffie_hellman_group_exchange_client_option() @@ -242,8 +243,6 @@ {keyboard_interact_fun, fun((term(),term(),term()) -> term())} | opaque_common_options(). --type pref_public_key_algs_client_option() :: {pref_public_key_algs, [pubkey_alg()] } . - -type host_accepting_client_options() :: {silently_accept_hosts, accept_hosts()} | {user_interaction, boolean()} -- cgit v1.2.3 From cf17c5bc0444daf76de08df12a8c7b87e1805ba6 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Fri, 2 Nov 2018 12:48:21 +0100 Subject: ssh: Check compatibility with new OpenSSH versions --- lib/ssh/test/ssh_compat_SUITE_data/build_scripts/create_all | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/ssh') diff --git a/lib/ssh/test/ssh_compat_SUITE_data/build_scripts/create_all b/lib/ssh/test/ssh_compat_SUITE_data/build_scripts/create_all index 0dcf8cb570..c2e77fcc79 100755 --- a/lib/ssh/test/ssh_compat_SUITE_data/build_scripts/create_all +++ b/lib/ssh/test/ssh_compat_SUITE_data/build_scripts/create_all @@ -18,6 +18,12 @@ SSH_SSL_VERSIONS=(\ openssh 7.6p1 openssl 1.0.2n \ \ openssh 7.6p1 libressl 2.6.4 \ + \ + openssh 7.7p1 openssl 1.0.2p \ + openssh 7.8p1 openssl 1.0.2p \ + openssh 7.9p1 openssl 1.0.2p \ + \ + openssh 7.9p1 libressl 2.6.4 \ ) if [ "x$1" == "x-b" ] -- cgit v1.2.3 From ca8b287e0d46c4db053cce661e9800185b04c8ca Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 7 Nov 2018 14:26:11 +0100 Subject: ssh: Clear remote user_dir in ssh_compat_SUITE --- lib/ssh/test/ssh_compat_SUITE.erl | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'lib/ssh') diff --git a/lib/ssh/test/ssh_compat_SUITE.erl b/lib/ssh/test/ssh_compat_SUITE.erl index 1c607bebe8..af85ef7aee 100644 --- a/lib/ssh/test/ssh_compat_SUITE.erl +++ b/lib/ssh/test/ssh_compat_SUITE.erl @@ -648,6 +648,7 @@ setup_remote_priv_and_local_auth_keys(KeyAlg, IP, Port, UserDir, Config) -> {silently_accept_hosts,true}, {user_interaction,false} ]), + rm_id_in_remote_dir(Ch, ".ssh"), _ = ssh_sftp:make_dir(Ch, ".ssh"), DstFile = filename:join(".ssh", dst_filename(user,KeyAlg)), ok = ssh_sftp:write_file(Ch, DstFile, Priv), @@ -658,6 +659,18 @@ setup_remote_priv_and_local_auth_keys(KeyAlg, IP, Port, UserDir, Config) -> ok = ssh:close(Cc), UserDir. +rm_id_in_remote_dir(Ch, Dir) -> + case ssh_sftp:list_dir(Ch, Dir) of + {error,_Error} -> + ok; + {ok,FileNames} -> + lists:foreach(fun("id_"++_ = F) -> + ok = ssh_sftp:delete(Ch, filename:join(Dir,F)); + (_) -> + leave + end, FileNames) + end. + user_priv_pub_keys(Config, KeyAlg) -> priv_pub_keys("users_keys", user, Config, KeyAlg). host_priv_pub_keys(Config, KeyAlg) -> priv_pub_keys("host_keys", host, Config, KeyAlg). -- cgit v1.2.3