Bugzilla – Attachment 3349 Details for
Bug 2738
UpdateHostKeys does not check keys in secondary known_hosts files
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Update additional UserKnownHostsFiles
bz2738.diff (text/plain), 4.15 KB, created by
Damien Miller
on 2020-01-24 12:19:51 AEDT
(
hide
)
Description:
Update additional UserKnownHostsFiles
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2020-01-24 12:19:51 AEDT
Size:
4.15 KB
patch
obsolete
>commit 0d8a52766b8e06f955a3541aa01518111f8248ad >Author: Damien Miller <djm@mindrot.org> >Date: Fri Jan 24 12:14:22 2020 +1100 > > Let UpdateHostKeys handle multiple UserKnownHostsFiles > > Subsequent known_hosts files will be searched for keys, but updated > keys will only be written to the first file. > >diff --git a/clientloop.c b/clientloop.c >index 4599ff6..7143042 100644 >--- a/clientloop.c >+++ b/clientloop.c >@@ -1881,6 +1881,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) > SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE; > char *fp, *response; > size_t i; >+ struct stat sb; > > for (i = 0; i < ctx->nkeys; i++) { > if (ctx->keys_seen[i] != 2) >@@ -1927,19 +1928,37 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) > if (was_raw) > enter_raw_mode(1); > } >- >+ if (options.update_hostkeys == 0) >+ return; > /* > * Now that all the keys are verified, we can go ahead and replace > * them in known_hosts (assuming SSH_UPDATE_HOSTKEYS_ASK didn't > * cancel the operation). > */ >- if (options.update_hostkeys != 0 && >- (r = hostfile_replace_entries(options.user_hostfiles[0], >- ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys, >- options.hash_known_hosts, 0, >- options.fingerprint_hash)) != 0) >- error("%s: hostfile_replace_entries failed: %s", >- __func__, ssh_err(r)); >+ for (i = 0; i < options.num_user_hostfiles; i++) { >+ /* >+ * NB. keys are only added to hostfiles[0], for the rest we >+ * just delete the hostname entries. >+ */ >+ if (stat(options.user_hostfiles[i], &sb) != 0) { >+ if (errno == ENOENT) { >+ debug("%s: known hosts file %s does not exist", >+ __func__, strerror(errno)); >+ } else { >+ error("%s: known hosts file %s inaccessible", >+ __func__, strerror(errno)); >+ } >+ continue; >+ } >+ if ((r = hostfile_replace_entries(options.user_hostfiles[i], >+ ctx->host_str, ctx->ip_str, >+ i == 0 ? ctx->keys : NULL, i == 0 ? ctx->nkeys : 0, >+ options.hash_known_hosts, 0, >+ options.fingerprint_hash)) != 0) { >+ error("%s: hostfile_replace_entries failed for %s: %s", >+ __func__, options.user_hostfiles[i], ssh_err(r)); >+ } >+ } > } > > static void >@@ -2132,11 +2151,21 @@ client_input_hostkeys(struct ssh *ssh) > options.check_host_ip ? &ctx->ip_str : NULL); > > /* Find which keys we already know about. */ >- if ((r = hostkeys_foreach(options.user_hostfiles[0], hostkeys_find, >- ctx, ctx->host_str, ctx->ip_str, >- HKF_WANT_PARSE_KEY|HKF_WANT_MATCH)) != 0) { >- error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); >- goto out; >+ for (i = 0; i < options.num_user_hostfiles; i++) { >+ debug("%s: searching %s for %s / %s", __func__, >+ options.user_hostfiles[i], ctx->host_str, ctx->ip_str); >+ if ((r = hostkeys_foreach(options.user_hostfiles[i], >+ hostkeys_find, ctx, ctx->host_str, ctx->ip_str, >+ HKF_WANT_PARSE_KEY|HKF_WANT_MATCH)) != 0) { >+ if (r == SSH_ERR_SYSTEM_ERROR && errno == ENOENT) { >+ error("%s: hostkeys file %s does not exist", >+ __func__, options.user_hostfiles[i]); >+ continue; >+ } >+ error("%s: hostkeys_foreach failed for %s: %s", >+ __func__, options.user_hostfiles[i], ssh_err(r)); >+ goto out; >+ } > } > > /* Figure out if we have any new keys to add */ >diff --git a/hostfile.c b/hostfile.c >index 752a2c1..35eb560 100644 >--- a/hostfile.c >+++ b/hostfile.c >@@ -564,6 +564,7 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip, > /* Remove all entries for the specified host from the file */ > if ((r = hostkeys_foreach(filename, host_delete, &ctx, host, ip, > HKF_WANT_PARSE_KEY)) != 0) { >+ oerrno = errno; > error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); > goto fail; > } >diff --git a/ssh.c b/ssh.c >index ca15feb..335d03d 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -1227,7 +1227,7 @@ main(int ac, char **av) > strcmp(options.proxy_command, "-") == 0 && > options.proxy_use_fdpass) > fatal("ProxyCommand=- and ProxyUseFDPass are incompatible"); >- if (options.control_persist && >+ if (options.control_persist && options.control_path != NULL && > options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) { > debug("UpdateHostKeys=ask is incompatible with ControlPersist; " > "disabling");
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3349">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2738
:
3008
| 3349