summaryrefslogtreecommitdiff
path: root/kexdhs.c
diff options
context:
space:
mode:
authorMatthew Vernon <mcv21@cam.ac.uk>2014-03-26 15:32:23 +0000
committerMatthew Vernon <mcv21@cam.ac.uk>2014-03-26 15:32:23 +0000
commit63d5fa28e16d96db6bac2dbe3fcecb65328f8966 (patch)
treebb4e8a04c5e5346fe0fffa4aeb5c8e9a13377c75 /kexdhs.c
parent9cbb60f5e4932634db04c330c88abc49cc5567bd (diff)
Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch is by Damien Miller (of openssh upstream). It's simpler than the patch by Mark Wooding which I applied yesterday; a copy is taken of the proffered key/cert, the key extracted from the cert (if necessary), and then the DNS consulted. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert_upstr
Diffstat (limited to 'kexdhs.c')
0 files changed, 0 insertions, 0 deletions