summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-06-24 05:35:05 +0000
committerDamien Miller <djm@mindrot.org>2017-06-24 16:48:39 +1000
commit6f8ca3b92540fa1a9b91670edc98d15448e3d765 (patch)
tree6c275c536b84349f080d1c4e2388879bd1c4a3f9
parent8904ffce057b80a7472955f1ec00d7d5c250076c (diff)
upstream commit
use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
-rw-r--r--ssh_config.56
-rw-r--r--sshconnect.c6
-rw-r--r--sshd.824
3 files changed, 26 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 4277f9eac..1cbfe0403 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $
37.Dd $Mdocdate: May 30 2017 $ 37.Dd $Mdocdate: June 24 2017 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -809,7 +809,7 @@ The list of available key types may also be obtained using
809.It Cm HostKeyAlias 809.It Cm HostKeyAlias
810Specifies an alias that should be used instead of the 810Specifies an alias that should be used instead of the
811real host name when looking up or saving the host key 811real host name when looking up or saving the host key
812in the host key database files. 812in the host key database files and when validating host certificates.
813This option is useful for tunneling SSH connections 813This option is useful for tunneling SSH connections
814or for multiple servers running on a single host. 814or for multiple servers running on a single host.
815.It Cm HostName 815.It Cm HostName
diff --git a/sshconnect.c b/sshconnect.c
index d4894b9f1..4100cdc8c 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
863 host, type, want_cert ? "certificate" : "key"); 863 host, type, want_cert ? "certificate" : "key");
864 debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", 864 debug("Found %s in %s:%lu", want_cert ? "CA key" : "key",
865 host_found->file, host_found->line); 865 host_found->file, host_found->line);
866 if (want_cert && !check_host_cert(hostname, host_key)) 866 if (want_cert &&
867 !check_host_cert(options.host_key_alias == NULL ?
868 hostname : options.host_key_alias, host_key))
867 goto fail; 869 goto fail;
868 if (options.check_host_ip && ip_status == HOST_NEW) { 870 if (options.check_host_ip && ip_status == HOST_NEW) {
869 if (readonly || want_cert) 871 if (readonly || want_cert)
diff --git a/sshd.8 b/sshd.8
index 05368f947..1b18e45b3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ 36.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
37.Dd $Mdocdate: May 7 2017 $ 37.Dd $Mdocdate: June 24 2017 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
652and 652and
653.Ql \&? 653.Ql \&?
654act as 654act as
655wildcards); each pattern in turn is matched against the canonical host 655wildcards); each pattern in turn is matched against the host name.
656name (when authenticating a client) or against the user-supplied 656When
657name (when authenticating a server). 657.Nm sshd
658is authenticating a client, such as when using
659.Cm HostbasedAuthentication ,
660this will be the canonical client host name.
661When
662.Xr ssh 1
663is authenticating a server, this will be the either the host name
664given by the user, the value of the
665.Xr ssh 1
666.Cm HostkeyAlias
667if it was specified, or the canonical server hostname if the
668.Xr ssh 1
669.Cm CanonicalizeHostname
670option was used.
671.Pp
658A pattern may also be preceded by 672A pattern may also be preceded by
659.Ql \&! 673.Ql \&!
660to indicate negation: if the host name matches a negated 674to indicate negation: if the host name matches a negated