diff options
author | Matthew Vernon <mcv21@cam.ac.uk> | 2014-03-26 15:32:23 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-04-14 12:11:00 +0100 |
commit | 08a63152deb5deda168aaef870bdb9f56425acb3 (patch) | |
tree | a4863747b299069b17b1a4875d07f8b7a5f050c4 /openbsd-compat/bsd-poll.c | |
parent | df5c8d109fb3d9ec16a487107a44300ed3006849 (diff) |
Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch is by Damien Miller (of openssh upstream). It's simpler
than the patch by Mark Wooding which I applied yesterday; a copy is
taken of the proffered key/cert, the key extracted from the cert (if
necessary), and then the DNS consulted.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert_upstr
Diffstat (limited to 'openbsd-compat/bsd-poll.c')
0 files changed, 0 insertions, 0 deletions