feat: add null hostkey for server

fix: skip gssapi tests in fips mode fix: skip gssapi_key_exchange_null test on ubuntu and tumbleweed fix: return early when rc != 0 to show error tests: replace int asserts by ssh return code asserts fix: add fatal error when hostkeys are not found and gssapi kex is not enabled ci: add comment linking gssapi null kex bug in ubuntu and tumbleweed fix: don't specify hostkeys in config instead of deleting files tests: assert kex method was null refactor: remove redundant include refactor: better error message fix: check null before accessing in gssapi.c fix: allow setting no hostkeys Signed-off-by: Gauravsingh Sisodia <xaerru@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-07 10:40:28 +09:00 · 2024-08-29 14:03:12 +00:00
parent fd1c3e8878
commit c1aab9903f
21 changed files with 579 additions and 117 deletions
--- a/src/server.c
+++ b/src/server.c
@@ -141,10 +141,6 @@ int server_set_kex(ssh_session session)
                 ",%s", ssh_key_type_to_char(keytype));
    }

-    if (strlen(hostkeys) == 0) {
-        return -1;
-    }
-
    if (session->opts.wanted_methods[SSH_HOSTKEYS]) {
        allowed = session->opts.wanted_methods[SSH_HOSTKEYS];
    } else {
@@ -155,33 +151,34 @@ int server_set_kex(ssh_session session)
        }
    }

-    /* It is expected for the list of allowed hostkeys to be ordered by
-     * preference */
-    kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
-                                 allowed);
-    if (kept == NULL) {
-        /* Nothing was allowed */
-        return -1;
-    }
+    if (strlen(hostkeys) != 0) {
+        /* It is expected for the list of allowed hostkeys to be ordered by
+         * preference */
+        kept = ssh_find_all_matching(hostkeys[0] == ',' ? hostkeys + 1 : hostkeys,
+                                     allowed);
+        if (kept == NULL) {
+            /* Nothing was allowed */
+            return -1;
+        }

-    rc = ssh_options_set_algo(session,
-                              SSH_HOSTKEYS,
-                              kept,
-                              &session->opts.wanted_methods[SSH_HOSTKEYS]);
-    SAFE_FREE(kept);
-    if (rc < 0) {
-        return -1;
+        rc = ssh_options_set_algo(session,
+                                  SSH_HOSTKEYS,
+                                  kept,
+                                  &session->opts.wanted_methods[SSH_HOSTKEYS]);
+        SAFE_FREE(kept);
+        if (rc < 0) {
+            return -1;
+        }
    }
-
 #ifdef WITH_GSSAPI
-    if (session->opts.gssapi_key_exchange) {
+    if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) {
        ok = ssh_gssapi_init(session);
        if (ok != SSH_OK) {
            ssh_set_error_oom(session);
            return SSH_ERROR;
        }

-        gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs ? session->opts.gssapi_key_exchange_algs : GSSAPI_KEY_EXCHANGE_SUPPORTED);
+        gssapi_algs = ssh_gssapi_kex_mechs(session, session->opts.gssapi_key_exchange_algs);
        if (gssapi_algs == NULL) {
            return SSH_ERROR;
        }
@@ -191,6 +188,10 @@ int server_set_kex(ssh_session session)
        session->opts.wanted_methods[SSH_KEX] =
            ssh_prefix_without_duplicates(ssh_kex_get_default_methods(SSH_KEX), gssapi_algs);

+        if (strlen(hostkeys) == 0) {
+            session->opts.wanted_methods[SSH_HOSTKEYS] = strdup("null");
+        }
+
        SAFE_FREE(gssapi_algs);
    }
 #endif /* WITH_GSSAPI */