tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

identify the case where SSHFP records are missing but
other DNS RR types are present and display a more useful error message for
this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@

Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
This commit is contained in:
djm@openbsd.org 2017-09-01 05:53:56 +00:00 committed by Damien Miller
parent 8042bad97e
commit b828605d51
3 changed files with 53 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ /* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
/* /*
* Copyright (c) 2003 Wesley Griffin. All rights reserved. * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
free(dnskey_digest); free(dnskey_digest);
} }
free(hostkey_digest); /* from sshkey_fingerprint_raw() */ if (*flags & DNS_VERIFY_FOUND) {
freerrset(fingerprints);
if (*flags & DNS_VERIFY_FOUND)
if (*flags & DNS_VERIFY_MATCH) if (*flags & DNS_VERIFY_MATCH)
debug("matching host key fingerprint found in DNS"); debug("matching host key fingerprint found in DNS");
else if (counter == fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_MISSING;
else else
debug("mismatching host key fingerprint found in DNS"); debug("mismatching host key fingerprint found in DNS");
else } else
debug("no host key fingerprint found in DNS"); debug("no host key fingerprint found in DNS");
free(hostkey_digest); /* from sshkey_fingerprint_raw() */
freerrset(fingerprints);
return 0; return 0;
} }

3
dns.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */ /* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */
/* /*
* Copyright (c) 2003 Wesley Griffin. All rights reserved. * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -49,6 +49,7 @@ enum sshfp_hashes {
#define DNS_VERIFY_FOUND 0x00000001 #define DNS_VERIFY_FOUND 0x00000001
#define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004 #define DNS_VERIFY_SECURE 0x00000004
#define DNS_VERIFY_MISSING 0x00000008
int verify_host_key_dns(const char *, struct sockaddr *, int verify_host_key_dns(const char *, struct sockaddr *,
struct sshkey *, int *); struct sshkey *, int *);

41
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */ /* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -83,6 +83,7 @@ extern uid_t original_effective_uid;
static int show_other_keys(struct hostkeys *, struct sshkey *); static int show_other_keys(struct hostkeys *, struct sshkey *);
static void warn_changed_key(struct sshkey *); static void warn_changed_key(struct sshkey *);
static void warn_missing_key(struct sshkey *);
/* Expand a proxy command */ /* Expand a proxy command */
static char * static char *
@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
free(ra); free(ra);
free(fp); free(fp);
} }
if (options.verify_host_key_dns &&
options.strict_host_key_checking &&
!matching_host_key_dns) {
snprintf(msg, sizeof(msg),
"Are you sure you want to continue connecting "
"(yes/no)? ");
if (!confirm(msg))
goto fail;
msg[0] = '\0';
}
hostkey_trusted = 1; hostkey_trusted = 1;
break; break;
case HOST_NEW: case HOST_NEW:
@ -1258,6 +1269,12 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
} }
if (flags & DNS_VERIFY_MATCH) { if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1; matching_host_key_dns = 1;
} else {
if (flags & DNS_VERIFY_MISSING) {
warn_missing_key(plain);
error("Add this host key to "
"the SSHFP RR in DNS to get rid "
"of this message.");
} else { } else {
warn_changed_key(plain); warn_changed_key(plain);
error("Update the SSHFP RR in DNS " error("Update the SSHFP RR in DNS "
@ -1267,6 +1284,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
} }
} }
} }
}
r = check_host_key(host, hostaddr, options.port, host_key, RDRW, r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
options.user_hostfiles, options.num_user_hostfiles, options.user_hostfiles, options.num_user_hostfiles,
options.system_hostfiles, options.num_system_hostfiles); options.system_hostfiles, options.num_system_hostfiles);
@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key)
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed."); error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.", error("The fingerprint for the %s key sent by the remote host is\n%s.",
key_type(host_key), fp); sshkey_type(host_key), fp);
error("Please contact your system administrator."); error("Please contact your system administrator.");
free(fp); free(fp);
} }
static void
warn_missing_key(struct sshkey *host_key)
{
char *fp;
fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
SSH_FP_DEFAULT);
if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
sshkey_type(host_key), fp);
error("Please contact your system administrator.");
free(fp);
}
/* /*
* Execute a local command * Execute a local command
*/ */