diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-09-01 05:53:56 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-09-04 09:38:57 +1000 |
| commit | b828605d51f57851316d7ba402b4ae06cf37c55d (patch) | |
| tree | cec2c9c32c860e87c7a643aea1abd6c587dcd5de | |
| parent | 8042bad97e2789a50e8f742c3bcd665ebf0add32 (diff) | |
upstream commit
identify the case where SSHFP records are missing but
other DNS RR types are present and display a more useful error message for
this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
| -rw-r--r-- | dns.c | 14 | ||||
| -rw-r--r-- | dns.h | 3 | ||||
| -rw-r--r-- | sshconnect.c | 49 |
3 files changed, 53 insertions, 13 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ | 1 | /* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
| @@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
| 294 | free(dnskey_digest); | 294 | free(dnskey_digest); |
| 295 | } | 295 | } |
| 296 | 296 | ||
| 297 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ | 297 | if (*flags & DNS_VERIFY_FOUND) { |
| 298 | freerrset(fingerprints); | ||
| 299 | |||
| 300 | if (*flags & DNS_VERIFY_FOUND) | ||
| 301 | if (*flags & DNS_VERIFY_MATCH) | 298 | if (*flags & DNS_VERIFY_MATCH) |
| 302 | debug("matching host key fingerprint found in DNS"); | 299 | debug("matching host key fingerprint found in DNS"); |
| 300 | else if (counter == fingerprints->rri_nrdatas) | ||
| 301 | *flags |= DNS_VERIFY_MISSING; | ||
| 303 | else | 302 | else |
| 304 | debug("mismatching host key fingerprint found in DNS"); | 303 | debug("mismatching host key fingerprint found in DNS"); |
| 305 | else | 304 | } else |
| 306 | debug("no host key fingerprint found in DNS"); | 305 | debug("no host key fingerprint found in DNS"); |
| 307 | 306 | ||
| 307 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ | ||
| 308 | freerrset(fingerprints); | ||
| 309 | |||
| 308 | return 0; | 310 | return 0; |
| 309 | } | 311 | } |
| 310 | 312 | ||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */ | 1 | /* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
| @@ -49,6 +49,7 @@ enum sshfp_hashes { | |||
| 49 | #define DNS_VERIFY_FOUND 0x00000001 | 49 | #define DNS_VERIFY_FOUND 0x00000001 |
| 50 | #define DNS_VERIFY_MATCH 0x00000002 | 50 | #define DNS_VERIFY_MATCH 0x00000002 |
| 51 | #define DNS_VERIFY_SECURE 0x00000004 | 51 | #define DNS_VERIFY_SECURE 0x00000004 |
| 52 | #define DNS_VERIFY_MISSING 0x00000008 | ||
| 52 | 53 | ||
| 53 | int verify_host_key_dns(const char *, struct sockaddr *, | 54 | int verify_host_key_dns(const char *, struct sockaddr *, |
| 54 | struct sshkey *, int *); | 55 | struct sshkey *, int *); |
diff --git a/sshconnect.c b/sshconnect.c index aaae5fc9f..4013ec7db 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -83,6 +83,7 @@ extern uid_t original_effective_uid; | |||
| 83 | 83 | ||
| 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); |
| 85 | static void warn_changed_key(struct sshkey *); | 85 | static void warn_changed_key(struct sshkey *); |
| 86 | static void warn_missing_key(struct sshkey *); | ||
| 86 | 87 | ||
| 87 | /* Expand a proxy command */ | 88 | /* Expand a proxy command */ |
| 88 | static char * | 89 | static char * |
| @@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 864 | free(ra); | 865 | free(ra); |
| 865 | free(fp); | 866 | free(fp); |
| 866 | } | 867 | } |
| 868 | if (options.verify_host_key_dns && | ||
| 869 | options.strict_host_key_checking && | ||
| 870 | !matching_host_key_dns) { | ||
| 871 | snprintf(msg, sizeof(msg), | ||
| 872 | "Are you sure you want to continue connecting " | ||
| 873 | "(yes/no)? "); | ||
| 874 | if (!confirm(msg)) | ||
| 875 | goto fail; | ||
| 876 | msg[0] = '\0'; | ||
| 877 | } | ||
| 867 | hostkey_trusted = 1; | 878 | hostkey_trusted = 1; |
| 868 | break; | 879 | break; |
| 869 | case HOST_NEW: | 880 | case HOST_NEW: |
| @@ -1259,10 +1270,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | |||
| 1259 | if (flags & DNS_VERIFY_MATCH) { | 1270 | if (flags & DNS_VERIFY_MATCH) { |
| 1260 | matching_host_key_dns = 1; | 1271 | matching_host_key_dns = 1; |
| 1261 | } else { | 1272 | } else { |
| 1262 | warn_changed_key(plain); | 1273 | if (flags & DNS_VERIFY_MISSING) { |
| 1263 | error("Update the SSHFP RR in DNS " | 1274 | warn_missing_key(plain); |
| 1264 | "with the new host key to get rid " | 1275 | error("Add this host key to " |
| 1265 | "of this message."); | 1276 | "the SSHFP RR in DNS to get rid " |
| 1277 | "of this message."); | ||
| 1278 | } else { | ||
| 1279 | warn_changed_key(plain); | ||
| 1280 | error("Update the SSHFP RR in DNS " | ||
| 1281 | "with the new host key to get rid " | ||
| 1282 | "of this message."); | ||
| 1283 | } | ||
| 1266 | } | 1284 | } |
| 1267 | } | 1285 | } |
| 1268 | } | 1286 | } |
| @@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key) | |||
| 1394 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 1412 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
| 1395 | error("It is also possible that a host key has just been changed."); | 1413 | error("It is also possible that a host key has just been changed."); |
| 1396 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | 1414 | error("The fingerprint for the %s key sent by the remote host is\n%s.", |
| 1397 | key_type(host_key), fp); | 1415 | sshkey_type(host_key), fp); |
| 1398 | error("Please contact your system administrator."); | 1416 | error("Please contact your system administrator."); |
| 1399 | 1417 | ||
| 1400 | free(fp); | 1418 | free(fp); |
| 1401 | } | 1419 | } |
| 1402 | 1420 | ||
| 1421 | static void | ||
| 1422 | warn_missing_key(struct sshkey *host_key) | ||
| 1423 | { | ||
| 1424 | char *fp; | ||
| 1425 | |||
| 1426 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | ||
| 1427 | SSH_FP_DEFAULT); | ||
| 1428 | if (fp == NULL) | ||
| 1429 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
| 1430 | |||
| 1431 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
| 1432 | error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); | ||
| 1433 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
| 1434 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
| 1435 | sshkey_type(host_key), fp); | ||
| 1436 | error("Please contact your system administrator."); | ||
| 1437 | |||
| 1438 | free(fp); | ||
| 1439 | } | ||
| 1403 | /* | 1440 | /* |
| 1404 | * Execute a local command | 1441 | * Execute a local command |
| 1405 | */ | 1442 | */ |