options: Add option to set server accepted pubkey types

The added option SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES allows restricting the allowed public key types accepted by the server for authentication. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-02-09 09:54:25 +09:00 · 2019-05-15 11:48:49 +02:00
parent bc95a51710
commit f4363f5655
7 changed files with 136 additions and 11 deletions
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -1358,6 +1358,60 @@ static void torture_bind_options_config_dir(void **state)
    assert_string_equal(bind->config_dir, replacement_dir);
 }

+static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
+{
+    struct bind_st *test_state;
+    ssh_bind bind;
+    int rc;
+
+    assert_non_null(state);
+    test_state = *((struct bind_st **)state);
+    assert_non_null(test_state);
+    assert_non_null(test_state->bind);
+    bind = test_state->bind;
+
+    /* Test known Pubkey Types */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->pubkey_accepted_key_types);
+    assert_string_equal(bind->pubkey_accepted_key_types,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+
+    SAFE_FREE(bind->pubkey_accepted_key_types);
+
+    /* Test with some unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+        "ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->pubkey_accepted_key_types);
+    assert_string_equal(bind->pubkey_accepted_key_types,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+
+    SAFE_FREE(bind->pubkey_accepted_key_types);
+
+    /* Test with only unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+        "unknown-type");
+    assert_int_equal(rc, -1);
+    assert_null(bind->pubkey_accepted_key_types);
+
+    /* Test with something set and then try unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->pubkey_accepted_key_types);
+    assert_string_equal(bind->pubkey_accepted_key_types,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
+        "unknown-type");
+    assert_int_equal(rc, -1);
+
+    /* Check that nothing changed */
+    assert_non_null(bind->pubkey_accepted_key_types);
+    assert_string_equal(bind->pubkey_accepted_key_types,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+}

 #endif /* WITH_SERVER */

@@ -1387,7 +1441,7 @@ int torture_run_tests(void) {
        cmocka_unit_test_setup_teardown(torture_options_copy, setup, teardown),
        cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown),
        cmocka_unit_test_setup_teardown(torture_options_config_match,
-                                        setup, teardown)
+                                        setup, teardown),
    };

 #ifdef WITH_SERVER
@@ -1428,6 +1482,8 @@ int torture_run_tests(void) {
                sshbind_setup, sshbind_teardown),
        cmocka_unit_test_setup_teardown(torture_bind_options_config_dir,
                sshbind_setup, sshbind_teardown),
+        cmocka_unit_test_setup_teardown(torture_bind_options_set_pubkey_accepted_key_types,
+                                        sshbind_setup, sshbind_teardown),
    };
 #endif /* WITH_SERVER */