tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/04/01 03:34:10 

[sshconnect.c]
     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
     certificate keys to plain keys and attempt SSHFP resolution.

     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
     dialog by offering only certificate keys.

     Reported by mcv21 AT cam.ac.uk
This commit is contained in:
Damien Miller 2014-04-20 13:23:43 +10:00
parent fcd62c0b66
commit 7d6a9fb660
2 changed files with 36 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -73,6 +73,15 @@
[ssh-keysign.c] [ssh-keysign.c]
include fingerprint of key not found include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random() use arc4random_buf() instead of loop+arc4random()
- djm@cvs.openbsd.org 2014/04/01 03:34:10
[sshconnect.c]
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
certificate keys to plain keys and attempt SSHFP resolution.
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
dialog by offering only certificate keys.
Reported by mcv21 AT cam.ac.uk
20140401 20140401
- (djm) On platforms that support it, use prctl() to prevent sftp-server - (djm) On platforms that support it, use prctl() to prevent sftp-server

44
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ /* $OpenBSD: sshconnect.c,v 1.247 2014/04/01 03:34:10 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1219,29 +1219,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{ {
int flags = 0; int flags = 0;
char *fp; char *fp;
Key *plain = NULL;
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
debug("Server host key: %s %s", key_type(host_key), fp); debug("Server host key: %s %s", key_type(host_key), fp);
free(fp); free(fp);
/* XXX certs are not yet supported for DNS */ if (options.verify_host_key_dns) {
if (!key_is_cert(host_key) && options.verify_host_key_dns && /*
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { * XXX certs are not yet supported for DNS, so downgrade
if (flags & DNS_VERIFY_FOUND) { * them and try the plain key.
*/
if (options.verify_host_key_dns == 1 && plain = key_from_private(host_key);
flags & DNS_VERIFY_MATCH && if (key_is_cert(plain))
flags & DNS_VERIFY_SECURE) key_drop_cert(plain);
return 0; if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) {
if (flags & DNS_VERIFY_MATCH) { if (options.verify_host_key_dns == 1 &&
matching_host_key_dns = 1; flags & DNS_VERIFY_MATCH &&
} else { flags & DNS_VERIFY_SECURE) {
warn_changed_key(host_key); key_free(plain);
error("Update the SSHFP RR in DNS with the new " return 0;
"host key to get rid of this message."); }
if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1;
} else {
warn_changed_key(plain);
error("Update the SSHFP RR in DNS "
"with the new host key to get rid "
"of this message.");
}
} }
} }
key_free(plain);
} }
return check_host_key(host, hostaddr, options.port, host_key, RDRW, return check_host_key(host, hostaddr, options.port, host_key, RDRW,