upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
diff --git a/sshd.c b/sshd.c
index 86b3c64..81a9b82 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.454 2015/07/10 06:21:53 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -95,6 +95,7 @@
#include "log.h"
#include "buffer.h"
#include "misc.h"
+#include "match.h"
#include "servconf.h"
#include "uidswap.h"
#include "compat.h"
@@ -799,6 +800,13 @@
key = sensitive_data.host_pubkeys[i];
if (key == NULL)
continue;
+ /* Check that the key is accepted in HostkeyAlgorithms */
+ if (match_pattern_list(sshkey_ssh_name(key),
+ options.hostkeyalgorithms, 0) != 1) {
+ debug3("%s: %s key not permitted by HostkeyAlgorithms",
+ __func__, sshkey_ssh_name(key));
+ continue;
+ }
switch (key->type) {
case KEY_RSA:
case KEY_DSA: