Bugzilla – Attachment 2753 Details for
Bug 2501
VerifyHostKeyDNS & StrictHostKeyChecking
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Two patches for the above.
missing-sshfp.patches (text/plain), 4.07 KB, created by
Thordur Bjornsson
on 2015-11-19 19:11:31 AEDT
(
hide
)
Description:
Two patches for the above.
Filename:
MIME Type:
Creator:
Thordur Bjornsson
Created:
2015-11-19 19:11:31 AEDT
Size:
4.07 KB
patch
obsolete
>From d5009dae4dfcc0bdf34149a62e6fc01153bb0366 Mon Sep 17 00:00:00 2001 >From: Thordur Bjornsson <thorduri@secnorth.net> >Date: Wed, 18 Nov 2015 23:18:10 +0100 >Subject: [PATCH 1/2] distinguish between missing and invalid SSHFP records. > >--- > dns.c | 8 +++++--- > dns.h | 1 + > sshconnect.c | 35 +++++++++++++++++++++++++++++++---- > 3 files changed, 37 insertions(+), 7 deletions(-) > >diff --git a/dns.c b/dns.c >index e813afe..38b6ff2 100644 >--- a/dns.c >+++ b/dns.c >@@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > free(dnskey_digest); > } > >- free(hostkey_digest); /* from sshkey_fingerprint_raw() */ >- freerrset(fingerprints); >- > if (*flags & DNS_VERIFY_FOUND) > if (*flags & DNS_VERIFY_MATCH) > debug("matching host key fingerprint found in DNS"); >+ else if (counter == fingerprints->rri_nrdatas) >+ *flags |= DNS_VERIFY_MISSING; > else > debug("mismatching host key fingerprint found in DNS"); > else > debug("no host key fingerprint found in DNS"); > >+ free(hostkey_digest); /* from sshkey_fingerprint_raw() */ >+ freerrset(fingerprints); >+ > return 0; > } > >diff --git a/dns.h b/dns.h >index 30e2b19..7b13b84 100644 >--- a/dns.h >+++ b/dns.h >@@ -49,6 +49,7 @@ enum sshfp_hashes { > #define DNS_VERIFY_FOUND 0x00000001 > #define DNS_VERIFY_MATCH 0x00000002 > #define DNS_VERIFY_SECURE 0x00000004 >+#define DNS_VERIFY_MISSING 0x00000008 > > int verify_host_key_dns(const char *, struct sockaddr *, > struct sshkey *, int *); >diff --git a/sshconnect.c b/sshconnect.c >index 19d393f..7339264 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -83,6 +83,7 @@ extern uid_t original_effective_uid; > > static int show_other_keys(struct hostkeys *, Key *); > static void warn_changed_key(Key *); >+static void warn_missing_key(Key *); > > /* Expand a proxy command */ > static char * >@@ -1299,10 +1300,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > if (flags & DNS_VERIFY_MATCH) { > matching_host_key_dns = 1; > } else { >- warn_changed_key(plain); >- error("Update the SSHFP RR in DNS " >- "with the new host key to get rid " >- "of this message."); >+ if (flags & DNS_VERIFY_MISSING) { >+ warn_missing_key(plain); >+ error("Add this host key to " >+ "the SSHFP RR in DNS to get rid " >+ "of this message."); >+ } else { >+ warn_changed_key(plain); >+ error("Update the SSHFP RR in DNS " >+ "with the new host key to get rid " >+ "of this message."); >+ } > } > } > } >@@ -1449,6 +1457,25 @@ warn_changed_key(Key *host_key) > free(fp); > } > >+static void >+warn_missing_key(Key *host_key) >+{ >+ char *fp; >+ >+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash, >+ SSH_FP_DEFAULT); >+ if (fp == NULL) >+ fatal("%s: sshkey_fingerprint fail", __func__); >+ >+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >+ error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); >+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >+ error("The fingerprint for the %s key sent by the remote host is\n%s.", >+ key_type(host_key), fp); >+ error("Please contact your system administrator."); >+ >+ free(fp); >+} > /* > * Execute a local command > */ >-- >2.6.3 > >From 8d87c5589d7abdb2227872e5ba6c545a173c8cec Mon Sep 17 00:00:00 2001 >From: Thordur Bjornsson <thorduri@secnorth.net> >Date: Wed, 18 Nov 2015 23:25:58 +0100 >Subject: [PATCH 2/2] Ask for confirmation before connecting if SSHFP record is > missing. > >--- > sshconnect.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/sshconnect.c b/sshconnect.c >index 7339264..2b3681d 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -931,6 +931,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > free(ra); > free(fp); > } >+ if (options.verify_host_key_dns && >+ options.strict_host_key_checking && >+ !matching_host_key_dns) { >+ snprintf(msg, sizeof(msg), >+ "Are you sure you want to continue connecting " >+ "(yes/no)? "); >+ if (!confirm(msg)) >+ goto fail; >+ msg[0] = '\0'; >+ } > hostkey_trusted = 1; > break; > case HOST_NEW: >-- >2.6.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2753">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2501
:
2753
|
3046