diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-09-14 04:32:21 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-09-14 14:33:06 +1000 |
| commit | aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba (patch) | |
| tree | 931c66543aa73417ed66342ad988b7bade568149 /sshconnect.c | |
| parent | 871f1e4374420b07550041b329627c474abc3010 (diff) | |
upstream commit
Revert commitid: gJtIN6rRTS3CHy9b.
-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------
This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
are missing but the user already has the key in known_hosts
Spotted by dtucker@
Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 49 |
1 files changed, 6 insertions, 43 deletions
diff --git a/sshconnect.c b/sshconnect.c index 608566207..dc7a704d2 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -83,7 +83,6 @@ extern uid_t original_effective_uid; | |||
| 83 | 83 | ||
| 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); |
| 85 | static void warn_changed_key(struct sshkey *); | 85 | static void warn_changed_key(struct sshkey *); |
| 86 | static void warn_missing_key(struct sshkey *); | ||
| 87 | 86 | ||
| 88 | /* Expand a proxy command */ | 87 | /* Expand a proxy command */ |
| 89 | static char * | 88 | static char * |
| @@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 871 | free(ra); | 870 | free(ra); |
| 872 | free(fp); | 871 | free(fp); |
| 873 | } | 872 | } |
| 874 | if (options.verify_host_key_dns && | ||
| 875 | options.strict_host_key_checking && | ||
| 876 | !matching_host_key_dns) { | ||
| 877 | snprintf(msg, sizeof(msg), | ||
| 878 | "Are you sure you want to continue connecting " | ||
| 879 | "(yes/no)? "); | ||
| 880 | if (!confirm(msg)) | ||
| 881 | goto fail; | ||
| 882 | msg[0] = '\0'; | ||
| 883 | } | ||
| 884 | hostkey_trusted = 1; | 873 | hostkey_trusted = 1; |
| 885 | break; | 874 | break; |
| 886 | case HOST_NEW: | 875 | case HOST_NEW: |
| @@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | |||
| 1282 | if (flags & DNS_VERIFY_MATCH) { | 1271 | if (flags & DNS_VERIFY_MATCH) { |
| 1283 | matching_host_key_dns = 1; | 1272 | matching_host_key_dns = 1; |
| 1284 | } else { | 1273 | } else { |
| 1285 | if (flags & DNS_VERIFY_MISSING) { | 1274 | warn_changed_key(plain); |
| 1286 | warn_missing_key(plain); | 1275 | error("Update the SSHFP RR in DNS " |
| 1287 | error("Add this host key to " | 1276 | "with the new host key to get rid " |
| 1288 | "the SSHFP RR in DNS to get rid " | 1277 | "of this message."); |
| 1289 | "of this message."); | ||
| 1290 | } else { | ||
| 1291 | warn_changed_key(plain); | ||
| 1292 | error("Update the SSHFP RR in DNS " | ||
| 1293 | "with the new host key to get rid " | ||
| 1294 | "of this message."); | ||
| 1295 | } | ||
| 1296 | } | 1278 | } |
| 1297 | } | 1279 | } |
| 1298 | } | 1280 | } |
| @@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key) | |||
| 1424 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 1406 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
| 1425 | error("It is also possible that a host key has just been changed."); | 1407 | error("It is also possible that a host key has just been changed."); |
| 1426 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | 1408 | error("The fingerprint for the %s key sent by the remote host is\n%s.", |
| 1427 | sshkey_type(host_key), fp); | 1409 | key_type(host_key), fp); |
| 1428 | error("Please contact your system administrator."); | 1410 | error("Please contact your system administrator."); |
| 1429 | 1411 | ||
| 1430 | free(fp); | 1412 | free(fp); |
| 1431 | } | 1413 | } |
| 1432 | 1414 | ||
| 1433 | static void | ||
| 1434 | warn_missing_key(struct sshkey *host_key) | ||
| 1435 | { | ||
| 1436 | char *fp; | ||
| 1437 | |||
| 1438 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | ||
| 1439 | SSH_FP_DEFAULT); | ||
| 1440 | if (fp == NULL) | ||
| 1441 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
| 1442 | |||
| 1443 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
| 1444 | error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); | ||
| 1445 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
| 1446 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
| 1447 | sshkey_type(host_key), fp); | ||
| 1448 | error("Please contact your system administrator."); | ||
| 1449 | |||
| 1450 | free(fp); | ||
| 1451 | } | ||
| 1452 | /* | 1415 | /* |
| 1453 | * Execute a local command | 1416 | * Execute a local command |
| 1454 | */ | 1417 | */ |