diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-09-14 04:32:21 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-09-14 14:33:06 +1000 |
commit | aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba (patch) | |
tree | 931c66543aa73417ed66342ad988b7bade568149 /sshconnect.c | |
parent | 871f1e4374420b07550041b329627c474abc3010 (diff) |
upstream commit
Revert commitid: gJtIN6rRTS3CHy9b.
-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------
This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
are missing but the user already has the key in known_hosts
Spotted by dtucker@
Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 49 |
1 files changed, 6 insertions, 43 deletions
diff --git a/sshconnect.c b/sshconnect.c index 608566207..dc7a704d2 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -83,7 +83,6 @@ extern uid_t original_effective_uid; | |||
83 | 83 | ||
84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); |
85 | static void warn_changed_key(struct sshkey *); | 85 | static void warn_changed_key(struct sshkey *); |
86 | static void warn_missing_key(struct sshkey *); | ||
87 | 86 | ||
88 | /* Expand a proxy command */ | 87 | /* Expand a proxy command */ |
89 | static char * | 88 | static char * |
@@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
871 | free(ra); | 870 | free(ra); |
872 | free(fp); | 871 | free(fp); |
873 | } | 872 | } |
874 | if (options.verify_host_key_dns && | ||
875 | options.strict_host_key_checking && | ||
876 | !matching_host_key_dns) { | ||
877 | snprintf(msg, sizeof(msg), | ||
878 | "Are you sure you want to continue connecting " | ||
879 | "(yes/no)? "); | ||
880 | if (!confirm(msg)) | ||
881 | goto fail; | ||
882 | msg[0] = '\0'; | ||
883 | } | ||
884 | hostkey_trusted = 1; | 873 | hostkey_trusted = 1; |
885 | break; | 874 | break; |
886 | case HOST_NEW: | 875 | case HOST_NEW: |
@@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | |||
1282 | if (flags & DNS_VERIFY_MATCH) { | 1271 | if (flags & DNS_VERIFY_MATCH) { |
1283 | matching_host_key_dns = 1; | 1272 | matching_host_key_dns = 1; |
1284 | } else { | 1273 | } else { |
1285 | if (flags & DNS_VERIFY_MISSING) { | 1274 | warn_changed_key(plain); |
1286 | warn_missing_key(plain); | 1275 | error("Update the SSHFP RR in DNS " |
1287 | error("Add this host key to " | 1276 | "with the new host key to get rid " |
1288 | "the SSHFP RR in DNS to get rid " | 1277 | "of this message."); |
1289 | "of this message."); | ||
1290 | } else { | ||
1291 | warn_changed_key(plain); | ||
1292 | error("Update the SSHFP RR in DNS " | ||
1293 | "with the new host key to get rid " | ||
1294 | "of this message."); | ||
1295 | } | ||
1296 | } | 1278 | } |
1297 | } | 1279 | } |
1298 | } | 1280 | } |
@@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key) | |||
1424 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 1406 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
1425 | error("It is also possible that a host key has just been changed."); | 1407 | error("It is also possible that a host key has just been changed."); |
1426 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | 1408 | error("The fingerprint for the %s key sent by the remote host is\n%s.", |
1427 | sshkey_type(host_key), fp); | 1409 | key_type(host_key), fp); |
1428 | error("Please contact your system administrator."); | 1410 | error("Please contact your system administrator."); |
1429 | 1411 | ||
1430 | free(fp); | 1412 | free(fp); |
1431 | } | 1413 | } |
1432 | 1414 | ||
1433 | static void | ||
1434 | warn_missing_key(struct sshkey *host_key) | ||
1435 | { | ||
1436 | char *fp; | ||
1437 | |||
1438 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | ||
1439 | SSH_FP_DEFAULT); | ||
1440 | if (fp == NULL) | ||
1441 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
1442 | |||
1443 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1444 | error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); | ||
1445 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1446 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
1447 | sshkey_type(host_key), fp); | ||
1448 | error("Please contact your system administrator."); | ||
1449 | |||
1450 | free(fp); | ||
1451 | } | ||
1452 | /* | 1415 | /* |
1453 | * Execute a local command | 1416 | * Execute a local command |
1454 | */ | 1417 | */ |