Bugzilla – Attachment 2185 Details for
Bug 2041
Check for SSHFP when certificate is offered.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check for SSHFP when certificate is offered.
0003-Check-for-SSHFP-when-certificate-is-offered.patch (text/plain), 2.09 KB, created by
Ondrej Caletka
on 2012-08-31 19:48:08 AEST
(
hide
)
Description:
Check for SSHFP when certificate is offered.
Filename:
MIME Type:
Creator:
Ondrej Caletka
Created:
2012-08-31 19:48:08 AEST
Size:
2.09 KB
patch
obsolete
>From 58ba847079d95e8a4e55026c440ee64594622531 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Ond=C5=99ej=20Caletka?= <ondrej@caletka.cz> >Date: Fri, 31 Aug 2012 11:04:17 +0200 >Subject: [PATCH 3/3] Check for SSHFP when certificate is offered > >When the sshd offer a certificate to client (which is default, when such >a certificate is configured), the client matches SSHFP records >against the public key embedded in the certificate. >--- > sshconnect.c | 27 ++++++++++++++++++--------- > 1 files changed, 18 insertions(+), 9 deletions(-) > >diff --git a/sshconnect.c b/sshconnect.c >index 0ee7266..ff98815 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -1108,6 +1108,7 @@ fail: > int > verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > { >+ Key *raw_key = host_key; > int flags = 0; > char *fp; > >@@ -1115,23 +1116,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > debug("Server host key: %s %s", key_type(host_key), fp); > xfree(fp); > >- /* XXX certs are not yet supported for DNS */ >- if (!key_is_cert(host_key) && options.verify_host_key_dns && >- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { >+ /* certs are not yet supported for DNS - check instead for key FP */ >+ if (options.verify_host_key_dns && key_is_cert(host_key)) { >+ raw_key = key_from_private(host_key); >+ if (key_drop_cert(raw_key) != 0) >+ fatal("Couldn't drop certificate"); >+ } >+ if (options.verify_host_key_dns && >+ verify_host_key_dns(host, hostaddr, raw_key, &flags) == 0) { > if (flags & DNS_VERIFY_FOUND) { > >- if (options.verify_host_key_dns == 1 && >- flags & DNS_VERIFY_MATCH && >- flags & DNS_VERIFY_SECURE) >- return 0; >- > if (flags & DNS_VERIFY_MATCH) { > matching_host_key_dns = 1; > } else { >- warn_changed_key(host_key); >+ warn_changed_key(raw_key); > error("Update the SSHFP RR in DNS with the new " > "host key to get rid of this message."); > } >+ >+ if (raw_key != host_key) >+ key_free(raw_key); >+ >+ if (options.verify_host_key_dns == 1 && >+ flags & DNS_VERIFY_MATCH && >+ flags & DNS_VERIFY_SECURE) >+ return 0; > } > } > >-- >1.7.8.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2185">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2041
:
2185
|
2404