tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
Revert commitid: gJtIN6rRTS3CHy9b.

-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------

This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
are missing but the user already has the key in known_hosts

Spotted by dtucker@

Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
This commit is contained in:
djm@openbsd.org 2017-09-14 04:32:21 +00:00 committed by Damien Miller
parent 871f1e4374
commit aea59a0d9f
3 changed files with 16 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ /* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */
/* /*
* Copyright (c) 2003 Wesley Griffin. All rights reserved. * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -294,19 +294,17 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
free(dnskey_digest); free(dnskey_digest);
} }
if (*flags & DNS_VERIFY_FOUND) {
if (*flags & DNS_VERIFY_MATCH)
debug("matching host key fingerprint found in DNS");
else if (counter == fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_MISSING;
else
debug("mismatching host key fingerprint found in DNS");
} else
debug("no host key fingerprint found in DNS");
free(hostkey_digest); /* from sshkey_fingerprint_raw() */ free(hostkey_digest); /* from sshkey_fingerprint_raw() */
freerrset(fingerprints); freerrset(fingerprints);
if (*flags & DNS_VERIFY_FOUND)
if (*flags & DNS_VERIFY_MATCH)
debug("matching host key fingerprint found in DNS");
else
debug("mismatching host key fingerprint found in DNS");
else
debug("no host key fingerprint found in DNS");
return 0; return 0;
} }

3
dns.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ /* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */
/* /*
* Copyright (c) 2003 Wesley Griffin. All rights reserved. * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -49,7 +49,6 @@ enum sshfp_hashes {
#define DNS_VERIFY_FOUND 0x00000001 #define DNS_VERIFY_FOUND 0x00000001
#define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004 #define DNS_VERIFY_SECURE 0x00000004
#define DNS_VERIFY_MISSING 0x00000008
int verify_host_key_dns(const char *, struct sockaddr *, int verify_host_key_dns(const char *, struct sockaddr *,
struct sshkey *, int *); struct sshkey *, int *);

49
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */ /* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -83,7 +83,6 @@ extern uid_t original_effective_uid;
static int show_other_keys(struct hostkeys *, struct sshkey *); static int show_other_keys(struct hostkeys *, struct sshkey *);
static void warn_changed_key(struct sshkey *); static void warn_changed_key(struct sshkey *);
static void warn_missing_key(struct sshkey *);
/* Expand a proxy command */ /* Expand a proxy command */
static char * static char *
@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
free(ra); free(ra);
free(fp); free(fp);
} }
if (options.verify_host_key_dns &&
options.strict_host_key_checking &&
!matching_host_key_dns) {
snprintf(msg, sizeof(msg),
"Are you sure you want to continue connecting "
"(yes/no)? ");
if (!confirm(msg))
goto fail;
msg[0] = '\0';
}
hostkey_trusted = 1; hostkey_trusted = 1;
break; break;
case HOST_NEW: case HOST_NEW:
@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
if (flags & DNS_VERIFY_MATCH) { if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1; matching_host_key_dns = 1;
} else { } else {
if (flags & DNS_VERIFY_MISSING) { warn_changed_key(plain);
warn_missing_key(plain); error("Update the SSHFP RR in DNS "
error("Add this host key to " "with the new host key to get rid "
"the SSHFP RR in DNS to get rid " "of this message.");
"of this message.");
} else {
warn_changed_key(plain);
error("Update the SSHFP RR in DNS "
"with the new host key to get rid "
"of this message.");
}
} }
} }
} }
@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key)
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed."); error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.", error("The fingerprint for the %s key sent by the remote host is\n%s.",
sshkey_type(host_key), fp); key_type(host_key), fp);
error("Please contact your system administrator."); error("Please contact your system administrator.");
free(fp); free(fp);
} }
static void
warn_missing_key(struct sshkey *host_key)
{
char *fp;
fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
SSH_FP_DEFAULT);
if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
sshkey_type(host_key), fp);
error("Please contact your system administrator.");
free(fp);
}
/* /*
* Execute a local command * Execute a local command
*/ */