diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-06-24 05:35:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-24 16:48:39 +1000 |
commit | 6f8ca3b92540fa1a9b91670edc98d15448e3d765 (patch) | |
tree | 6c275c536b84349f080d1c4e2388879bd1c4a3f9 | |
parent | 8904ffce057b80a7472955f1ec00d7d5c250076c (diff) |
upstream commit
use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@
Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
-rw-r--r-- | ssh_config.5 | 6 | ||||
-rw-r--r-- | sshconnect.c | 6 | ||||
-rw-r--r-- | sshd.8 | 24 |
3 files changed, 26 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 4277f9eac..1cbfe0403 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $ |
37 | .Dd $Mdocdate: May 30 2017 $ | 37 | .Dd $Mdocdate: June 24 2017 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -809,7 +809,7 @@ The list of available key types may also be obtained using | |||
809 | .It Cm HostKeyAlias | 809 | .It Cm HostKeyAlias |
810 | Specifies an alias that should be used instead of the | 810 | Specifies an alias that should be used instead of the |
811 | real host name when looking up or saving the host key | 811 | real host name when looking up or saving the host key |
812 | in the host key database files. | 812 | in the host key database files and when validating host certificates. |
813 | This option is useful for tunneling SSH connections | 813 | This option is useful for tunneling SSH connections |
814 | or for multiple servers running on a single host. | 814 | or for multiple servers running on a single host. |
815 | .It Cm HostName | 815 | .It Cm HostName |
diff --git a/sshconnect.c b/sshconnect.c index d4894b9f1..4100cdc8c 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
863 | host, type, want_cert ? "certificate" : "key"); | 863 | host, type, want_cert ? "certificate" : "key"); |
864 | debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", | 864 | debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
865 | host_found->file, host_found->line); | 865 | host_found->file, host_found->line); |
866 | if (want_cert && !check_host_cert(hostname, host_key)) | 866 | if (want_cert && |
867 | !check_host_cert(options.host_key_alias == NULL ? | ||
868 | hostname : options.host_key_alias, host_key)) | ||
867 | goto fail; | 869 | goto fail; |
868 | if (options.check_host_ip && ip_status == HOST_NEW) { | 870 | if (options.check_host_ip && ip_status == HOST_NEW) { |
869 | if (readonly || want_cert) | 871 | if (readonly || want_cert) |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $ |
37 | .Dd $Mdocdate: May 7 2017 $ | 37 | .Dd $Mdocdate: June 24 2017 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns | |||
652 | and | 652 | and |
653 | .Ql \&? | 653 | .Ql \&? |
654 | act as | 654 | act as |
655 | wildcards); each pattern in turn is matched against the canonical host | 655 | wildcards); each pattern in turn is matched against the host name. |
656 | name (when authenticating a client) or against the user-supplied | 656 | When |
657 | name (when authenticating a server). | 657 | .Nm sshd |
658 | is authenticating a client, such as when using | ||
659 | .Cm HostbasedAuthentication , | ||
660 | this will be the canonical client host name. | ||
661 | When | ||
662 | .Xr ssh 1 | ||
663 | is authenticating a server, this will be the either the host name | ||
664 | given by the user, the value of the | ||
665 | .Xr ssh 1 | ||
666 | .Cm HostkeyAlias | ||
667 | if it was specified, or the canonical server hostname if the | ||
668 | .Xr ssh 1 | ||
669 | .Cm CanonicalizeHostname | ||
670 | option was used. | ||
671 | .Pp | ||
658 | A pattern may also be preceded by | 672 | A pattern may also be preceded by |
659 | .Ql \&! | 673 | .Ql \&! |
660 | to indicate negation: if the host name matches a negated | 674 | to indicate negation: if the host name matches a negated |