summaryrefslogtreecommitdiff
path: root/sshd_config.5
diff options
context:
space:
mode:
authorMatthew Vernon <mcv21@cam.ac.uk>2014-03-26 15:32:23 +0000
committerColin Watson <cjwatson@debian.org>2014-04-14 12:11:00 +0100
commit08a63152deb5deda168aaef870bdb9f56425acb3 (patch)
treea4863747b299069b17b1a4875d07f8b7a5f050c4 /sshd_config.5
parentdf5c8d109fb3d9ec16a487107a44300ed3006849 (diff)
Attempt SSHFP lookup even if server presents a certificate
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch is by Damien Miller (of openssh upstream). It's simpler than the patch by Mark Wooding which I applied yesterday; a copy is taken of the proffered key/cert, the key extracted from the cert (if necessary), and then the DNS consulted. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert_upstr
Diffstat (limited to 'sshd_config.5')
0 files changed, 0 insertions, 0 deletions