From 729b05f59ded35483acef90a6f88aa03eae33b29 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 20 Dec 2020 23:38:00 +0000 Subject: [PATCH] upstream: allow UserKnownHostsFile=none; feedback and ok markus@ OpenBSD-Commit-ID: c46d515eac94a35a1d50d5fd71c4b1ca53334b48 --- ssh.c | 42 ++++++++++++++++++++++++++++++------------ sshconnect.c | 6 +++++- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/ssh.c b/ssh.c index 7cece4efc..5d14ba442 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.544 2020/12/17 23:26:11 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.545 2020/12/20 23:38:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1441,18 +1441,36 @@ main(int ac, char **av) options.forward_agent_sock_path = cp; } + if (options.num_system_hostfiles > 0 && + strcasecmp(options.system_hostfiles[0], "none") == 0) { + if (options.num_system_hostfiles > 1) + fatal("Invalid GlobalKnownHostsFiles: \"none\" " + "appears with other entries"); + free(options.system_hostfiles[0]); + options.system_hostfiles[0] = NULL; + options.num_system_hostfiles = 0; + } + + if (options.num_user_hostfiles > 0 && + strcasecmp(options.user_hostfiles[0], "none") == 0) { + if (options.num_user_hostfiles > 1) + fatal("Invalid UserKnownHostsFiles: \"none\" " + "appears with other entries"); + free(options.user_hostfiles[0]); + options.user_hostfiles[0] = NULL; + options.num_user_hostfiles = 0; + } for (j = 0; j < options.num_user_hostfiles; j++) { - if (options.user_hostfiles[j] != NULL) { - cp = tilde_expand_filename(options.user_hostfiles[j], - getuid()); - p = default_client_percent_dollar_expand(cp, cinfo); - if (strcmp(options.user_hostfiles[j], p) != 0) - debug3("expanded UserKnownHostsFile '%s' -> " - "'%s'", options.user_hostfiles[j], p); - free(options.user_hostfiles[j]); - free(cp); - options.user_hostfiles[j] = p; - } + if (options.user_hostfiles[j] == NULL) + continue; + cp = tilde_expand_filename(options.user_hostfiles[j], getuid()); + p = default_client_percent_dollar_expand(cp, cinfo); + if (strcmp(options.user_hostfiles[j], p) != 0) + debug3("expanded UserKnownHostsFile '%s' -> " + "'%s'", options.user_hostfiles[j], p); + free(options.user_hostfiles[j]); + free(cp); + options.user_hostfiles[j] = p; } for (i = 0; i < options.num_local_forwards; i++) { diff --git a/sshconnect.c b/sshconnect.c index 592114166..c17e44ae2 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.346 2020/12/20 23:36:51 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.347 2020/12/20 23:38:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -949,6 +949,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, host_status = check_key_in_hostkeys(host_hostkeys, host_key, &host_found); + /* If no host files were specified, then don't try to touch them */ + if (!readonly && num_user_hostfiles == 0) + readonly = RDONLY; + /* * Also perform check for the ip address, skip the check if we are * localhost, looking for a certificate, or the hostname was an ip