upstream: disable UpdateHostKeys=ask if command is specified; ok

djm@ sthen@

OpenBSD-Commit-ID: e5bcc45eadb78896637d4143d289f1e42c2ef5d7

1 files changed, 13 insertions, 6 deletions

diff --git a/ssh.c b/ssh.c
index 4998ebc16..380e1e667 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.515 2020/01/25 00:21:08 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.516 2020/01/27 20:51:32 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1248,11 +1248,18 @@ main(int ac, char **av)
             strcmp(options.proxy_command, "-") == 0 &&
             options.proxy_use_fdpass)
                 fatal("ProxyCommand=- and ProxyUseFDPass are incompatible");
-        if (options.control_persist && options.control_path != NULL &&
-            options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {
-                debug("UpdateHostKeys=ask is incompatible with ControlPersist; "
-                    "disabling");
-                options.update_hostkeys = 0;
+        if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {
+                if (options.control_persist && options.control_path != NULL) {
+                        debug("UpdateHostKeys=ask is incompatible with "
+                            "ControlPersist; disabling");
+                        options.update_hostkeys = 0;
+                } else if (sshbuf_len(command) != 0 ||
+                    options.remote_command != NULL ||
+                    options.request_tty == REQUEST_TTY_NO) {
+                        debug("UpdateHostKeys=ask is incompatible with "
+                            "remote command execution; disabling");
+                        options.update_hostkeys = 0;
+                }
         }
         if (options.connection_attempts <= 0)
                 fatal("Invalid number of ConnectionAttempts");