diff options
author | Damien Miller <djm@mindrot.org> | 2014-04-20 13:23:43 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-04-20 13:23:43 +1000 |
commit | 7d6a9fb660c808882d064e152d6070ffc3844c3f (patch) | |
tree | b3ba326eb0853c005d9c9d4c91b1c0f8dac8855e | |
parent | fcd62c0b66b8415405ed0af29c236329eb88cc0f (diff) |
- djm@cvs.openbsd.org 2014/04/01 03:34:10
[sshconnect.c]
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
certificate keys to plain keys and attempt SSHFP resolution.
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
dialog by offering only certificate keys.
Reported by mcv21 AT cam.ac.uk
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | sshconnect.c | 44 |
2 files changed, 36 insertions, 17 deletions
@@ -73,6 +73,15 @@ | |||
73 | [ssh-keysign.c] | 73 | [ssh-keysign.c] |
74 | include fingerprint of key not found | 74 | include fingerprint of key not found |
75 | use arc4random_buf() instead of loop+arc4random() | 75 | use arc4random_buf() instead of loop+arc4random() |
76 | - djm@cvs.openbsd.org 2014/04/01 03:34:10 | ||
77 | [sshconnect.c] | ||
78 | When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any | ||
79 | certificate keys to plain keys and attempt SSHFP resolution. | ||
80 | |||
81 | Prevents a server from skipping SSHFP lookup and forcing a new-hostkey | ||
82 | dialog by offering only certificate keys. | ||
83 | |||
84 | Reported by mcv21 AT cam.ac.uk | ||
76 | 85 | ||
77 | 20140401 | 86 | 20140401 |
78 | - (djm) On platforms that support it, use prctl() to prevent sftp-server | 87 | - (djm) On platforms that support it, use prctl() to prevent sftp-server |
diff --git a/sshconnect.c b/sshconnect.c index 573d7a8e8..ca6e4cc96 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.247 2014/04/01 03:34:10 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1219,29 +1219,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
1219 | { | 1219 | { |
1220 | int flags = 0; | 1220 | int flags = 0; |
1221 | char *fp; | 1221 | char *fp; |
1222 | Key *plain = NULL; | ||
1222 | 1223 | ||
1223 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | 1224 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
1224 | debug("Server host key: %s %s", key_type(host_key), fp); | 1225 | debug("Server host key: %s %s", key_type(host_key), fp); |
1225 | free(fp); | 1226 | free(fp); |
1226 | 1227 | ||
1227 | /* XXX certs are not yet supported for DNS */ | 1228 | if (options.verify_host_key_dns) { |
1228 | if (!key_is_cert(host_key) && options.verify_host_key_dns && | 1229 | /* |
1229 | verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | 1230 | * XXX certs are not yet supported for DNS, so downgrade |
1230 | if (flags & DNS_VERIFY_FOUND) { | 1231 | * them and try the plain key. |
1231 | 1232 | */ | |
1232 | if (options.verify_host_key_dns == 1 && | 1233 | plain = key_from_private(host_key); |
1233 | flags & DNS_VERIFY_MATCH && | 1234 | if (key_is_cert(plain)) |
1234 | flags & DNS_VERIFY_SECURE) | 1235 | key_drop_cert(plain); |
1235 | return 0; | 1236 | if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { |
1236 | 1237 | if (flags & DNS_VERIFY_FOUND) { | |
1237 | if (flags & DNS_VERIFY_MATCH) { | 1238 | if (options.verify_host_key_dns == 1 && |
1238 | matching_host_key_dns = 1; | 1239 | flags & DNS_VERIFY_MATCH && |
1239 | } else { | 1240 | flags & DNS_VERIFY_SECURE) { |
1240 | warn_changed_key(host_key); | 1241 | key_free(plain); |
1241 | error("Update the SSHFP RR in DNS with the new " | 1242 | return 0; |
1242 | "host key to get rid of this message."); | 1243 | } |
1244 | if (flags & DNS_VERIFY_MATCH) { | ||
1245 | matching_host_key_dns = 1; | ||
1246 | } else { | ||
1247 | warn_changed_key(plain); | ||
1248 | error("Update the SSHFP RR in DNS " | ||
1249 | "with the new host key to get rid " | ||
1250 | "of this message."); | ||
1251 | } | ||
1243 | } | 1252 | } |
1244 | } | 1253 | } |
1254 | key_free(plain); | ||
1245 | } | 1255 | } |
1246 | 1256 | ||
1247 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | 1257 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, |