summaryrefslogtreecommitdiff
path: root/regress/key-options.sh
diff options
context:
space:
mode:
authorMatthew Vernon <mcv21@cam.ac.uk>2014-03-25 11:02:33 +0000
committerMatthew Vernon <mcv21@cam.ac.uk>2014-03-25 11:44:10 +0000
commitdb4cdf7b763414af951c7f4031b10679c54d7988 (patch)
tree5c51d1b53beb8924b9db30802823267ca8e4b5f2 /regress/key-options.sh
parent9cbb60f5e4932634db04c330c88abc49cc5567bd (diff)
Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch means that the ssh client will, if necessary, extract the server key from the proffered certificate, and attempt to verify it against the DNS. The patch was written by Mark Wooding <mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed it, and tested it. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert
Diffstat (limited to 'regress/key-options.sh')
0 files changed, 0 insertions, 0 deletions