diff options
author | Matthew Vernon <mcv21@cam.ac.uk> | 2014-03-25 11:02:33 +0000 |
---|---|---|
committer | Matthew Vernon <mcv21@cam.ac.uk> | 2014-03-25 11:44:10 +0000 |
commit | db4cdf7b763414af951c7f4031b10679c54d7988 (patch) | |
tree | 5c51d1b53beb8924b9db30802823267ca8e4b5f2 /dispatch.h | |
parent | 9cbb60f5e4932634db04c330c88abc49cc5567bd (diff) |
Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch means that the ssh client will, if necessary, extract the
server key from the proffered certificate, and attempt to verify it
against the DNS. The patch was written by Mark Wooding
<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
it, and tested it.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert
Diffstat (limited to 'dispatch.h')
0 files changed, 0 insertions, 0 deletions