Bugzilla – Attachment 3046 Details for
Bug 2501
VerifyHostKeyDNS & StrictHostKeyChecking
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated to current
bz2501.diff (text/plain), 3.70 KB, created by
Damien Miller
on 2017-09-01 13:52:47 AEST
(
hide
)
Description:
updated to current
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-09-01 13:52:47 AEST
Size:
3.70 KB
patch
obsolete
>diff --git a/dns.c b/dns.c >index 301d65c..b631ebd 100644 >--- a/dns.c >+++ b/dns.c >@@ -291,17 +291,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > free(dnskey_digest); > } > >- free(hostkey_digest); /* from sshkey_fingerprint_raw() */ >- freerrset(fingerprints); >- >- if (*flags & DNS_VERIFY_FOUND) >+ if (*flags & DNS_VERIFY_FOUND) { > if (*flags & DNS_VERIFY_MATCH) > debug("matching host key fingerprint found in DNS"); >+ else if (counter == fingerprints->rri_nrdatas) >+ *flags |= DNS_VERIFY_MISSING; > else > debug("mismatching host key fingerprint found in DNS"); >- else >+ } else > debug("no host key fingerprint found in DNS"); > >+ free(hostkey_digest); /* from sshkey_fingerprint_raw() */ >+ freerrset(fingerprints); >+ > return 0; > } > >diff --git a/dns.h b/dns.h >index 30e2b19..7b13b84 100644 >--- a/dns.h >+++ b/dns.h >@@ -49,6 +49,7 @@ enum sshfp_hashes { > #define DNS_VERIFY_FOUND 0x00000001 > #define DNS_VERIFY_MATCH 0x00000002 > #define DNS_VERIFY_SECURE 0x00000004 >+#define DNS_VERIFY_MISSING 0x00000008 > > int verify_host_key_dns(const char *, struct sockaddr *, > struct sshkey *, int *); >diff --git a/sshconnect.c b/sshconnect.c >index 51ab7c6..497d17e 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -71,6 +71,7 @@ extern uid_t original_effective_uid; > > static int show_other_keys(struct hostkeys *, struct sshkey *); > static void warn_changed_key(struct sshkey *); >+static void warn_missing_key(struct sshkey *); > > /* Expand a proxy command */ > static char * >@@ -836,6 +837,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > free(ra); > free(fp); > } >+ if (options.verify_host_key_dns && >+ options.strict_host_key_checking && >+ !matching_host_key_dns) { >+ snprintf(msg, sizeof(msg), >+ "Are you sure you want to continue connecting " >+ "(yes/no)? "); >+ if (!confirm(msg)) >+ goto fail; >+ msg[0] = '\0'; >+ } > hostkey_trusted = 1; > break; > case HOST_NEW: >@@ -1231,10 +1242,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) > if (flags & DNS_VERIFY_MATCH) { > matching_host_key_dns = 1; > } else { >- warn_changed_key(plain); >- error("Update the SSHFP RR in DNS " >- "with the new host key to get rid " >- "of this message."); >+ if (flags & DNS_VERIFY_MISSING) { >+ warn_missing_key(plain); >+ error("Add this host key to " >+ "the SSHFP RR in DNS to get rid " >+ "of this message."); >+ } else { >+ warn_changed_key(plain); >+ error("Update the SSHFP RR in DNS " >+ "with the new host key to get rid " >+ "of this message."); >+ } > } > } > } >@@ -1366,12 +1384,31 @@ warn_changed_key(struct sshkey *host_key) > error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); > error("It is also possible that a host key has just been changed."); > error("The fingerprint for the %s key sent by the remote host is\n%s.", >- key_type(host_key), fp); >+ sshkey_type(host_key), fp); > error("Please contact your system administrator."); > > free(fp); > } > >+static void >+warn_missing_key(struct sshkey *host_key) >+{ >+ char *fp; >+ >+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash, >+ SSH_FP_DEFAULT); >+ if (fp == NULL) >+ fatal("%s: sshkey_fingerprint fail", __func__); >+ >+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >+ error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); >+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >+ error("The fingerprint for the %s key sent by the remote host is\n%s.", >+ sshkey_type(host_key), fp); >+ error("Please contact your system administrator."); >+ >+ free(fp); >+} > /* > * Execute a local command > */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3046">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2501
:
2753
| 3046