Bugzilla – Attachment 2430 Details for
Bug 2165
ssh option to prompt for fingerprint input
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
StrictHostKeyChecking=require-fingerprint
0002-add-require-fingerprint-option-to-StrictHostKeyCheck.patch (text/plain), 4.54 KB, created by
Petr Lautrbach
on 2014-04-18 21:40:25 AEST
(
hide
)
Description:
StrictHostKeyChecking=require-fingerprint
Filename:
MIME Type:
Creator:
Petr Lautrbach
Created:
2014-04-18 21:40:25 AEST
Size:
4.54 KB
patch
obsolete
>From 96c7733bd12bc1d149f3da8fca3a0c681a9871b1 Mon Sep 17 00:00:00 2001 >From: Petr Lautrbach <plautrba@redhat.com> >Date: Fri, 18 Apr 2014 12:50:42 +0200 >Subject: [PATCH 2/2] add require-fingerprint option to StrictHostKeyChecking > flag > >--- > readconf.c | 12 +++++++++++- > ssh_config.5 | 8 +++++++- > sshconnect.c | 64 +++++++++++++++++++++++++++++++++++++++++++++--------------- > 3 files changed, 66 insertions(+), 18 deletions(-) > >diff --git a/readconf.c b/readconf.c >index c4d2b6e..3c8812b 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -689,6 +689,16 @@ static const struct multistate multistate_canonicalizehostname[] = { > { NULL, -1 } > }; > >+static const struct multistate multistate_stricthostkeychecking[] = { >+ { "true", 1 }, >+ { "false", 0 }, >+ { "yes", 1 }, >+ { "no", 0 }, >+ { "ask", 2 }, >+ { "require-fingerprint", 3 }, >+ { NULL, -1 } >+}; >+ > /* > * Processes a single option line as used in the configuration files. This > * only sets those values that have not already been set. >@@ -861,7 +871,7 @@ parse_time: > > case oStrictHostKeyChecking: > intptr = &options->strict_host_key_checking; >- multistate_ptr = multistate_yesnoask; >+ multistate_ptr = multistate_stricthostkeychecking; > goto parse_multistate; > > case oCompression: >diff --git a/ssh_config.5 b/ssh_config.5 >index 9f8f38b..c9d0e8c 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -1306,13 +1306,19 @@ new host keys > will be added to the user known host files only after the user > has confirmed that is what they really want to do, and > ssh will refuse to connect to hosts whose host key has changed. >+If this flag is set to >+.Dq require-fingerprint , >+the user will be asked to type a fingerprint of server's host key and >+if the fingerprint is correct, the new host key will be added to the >+user known host files. > The host keys of > known hosts will be verified automatically in all cases. > The argument must be > .Dq yes , > .Dq no , >+.Dq ask , > or >-.Dq ask . >+.Dq require-fingerprint . > The default is > .Dq ask . > .It Cm TCPKeepAlive >diff --git a/sshconnect.c b/sshconnect.c >index f10452a..a8e8ae9 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -701,6 +701,23 @@ confirm(const char *prompt) > } > > static int >+confirm_fingerprint(const char *prompt, const char *fp) >+{ >+ char *p; >+ int ret = 0; >+ >+ if (options.batch_mode) >+ return 0; >+ >+ p = read_passphrase(prompt, RP_ECHO); >+ if (p != NULL && strncmp(p, fp, strlen(fp)) == 0) { >+ ret = 1; >+ free(p); >+ } >+ return ret; >+} >+ >+static int > check_host_cert(const char *host, const Key *host_key) > { > const char *reason; >@@ -947,7 +964,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > error("No %s host key is known for %.200s and you " > "have requested strict checking.", type, host); > goto fail; >- } else if (options.strict_host_key_checking == 2) { >+ } else if (options.strict_host_key_checking == 2 || options.strict_host_key_checking == 3) { > char msg1[1024], msg2[1024]; > > if (show_other_keys(host_hostkeys, host_key)) >@@ -972,21 +989,36 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > "No matching host key fingerprint" > " found in DNS.\n"); > } >- snprintf(msg, sizeof(msg), >- "The authenticity of host '%.200s (%s)' can't be " >- "established%s\n" >- "%s key fingerprint is [%s]%s.%s%s\n%s" >- "Are you sure you want to continue connecting " >- "(yes/no)? ", >- host, ip, msg1, type, fpt, fp, >- options.visual_host_key ? "\n" : "", >- options.visual_host_key ? ra : "", >- msg2); >- free(ra); >- free(fpt); >- free(fp); >- if (!confirm(msg)) >- goto fail; >+ if (options.strict_host_key_checking == 2) { >+ snprintf(msg, sizeof(msg), >+ "The authenticity of host '%.200s (%s)' can't be " >+ "established%s\n" >+ "%s key fingerprint is [%s]%s.%s%s\n%s" >+ "Are you sure you want to continue connecting " >+ "(yes/no)? ", >+ host, ip, msg1, type, fpt, fp, >+ options.visual_host_key ? "\n" : "", >+ options.visual_host_key ? ra : "", >+ msg2); >+ free(ra); >+ free(fpt); >+ free(fp); >+ if (!confirm(msg)) >+ goto fail; >+ } else { >+ snprintf(msg, sizeof(msg), >+ "The authenticity of host '%.200s (%s)' can't be " >+ "established%s\n" >+ "Type the %s key fingerprint from remote host [%s]: ", >+ host, ip, msg1, type, fpt); >+ free(ra); >+ free(fpt); >+ if (!confirm_fingerprint(msg, fp)) { >+ free(fp); >+ goto fail; >+ } >+ free(fp); >+ } > } > /* > * If not in strict mode, add the key automatically to the >-- >1.8.3.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2430">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2165
: 2430