diff options
-rw-r--r-- | dns.c | 14 | ||||
-rw-r--r-- | dns.h | 3 | ||||
-rw-r--r-- | sshconnect.c | 49 |
3 files changed, 13 insertions, 53 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ | 1 | /* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
@@ -294,19 +294,17 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
294 | free(dnskey_digest); | 294 | free(dnskey_digest); |
295 | } | 295 | } |
296 | 296 | ||
297 | if (*flags & DNS_VERIFY_FOUND) { | 297 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ |
298 | freerrset(fingerprints); | ||
299 | |||
300 | if (*flags & DNS_VERIFY_FOUND) | ||
298 | if (*flags & DNS_VERIFY_MATCH) | 301 | if (*flags & DNS_VERIFY_MATCH) |
299 | debug("matching host key fingerprint found in DNS"); | 302 | debug("matching host key fingerprint found in DNS"); |
300 | else if (counter == fingerprints->rri_nrdatas) | ||
301 | *flags |= DNS_VERIFY_MISSING; | ||
302 | else | 303 | else |
303 | debug("mismatching host key fingerprint found in DNS"); | 304 | debug("mismatching host key fingerprint found in DNS"); |
304 | } else | 305 | else |
305 | debug("no host key fingerprint found in DNS"); | 306 | debug("no host key fingerprint found in DNS"); |
306 | 307 | ||
307 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ | ||
308 | freerrset(fingerprints); | ||
309 | |||
310 | return 0; | 308 | return 0; |
311 | } | 309 | } |
312 | 310 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ | 1 | /* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
@@ -49,7 +49,6 @@ enum sshfp_hashes { | |||
49 | #define DNS_VERIFY_FOUND 0x00000001 | 49 | #define DNS_VERIFY_FOUND 0x00000001 |
50 | #define DNS_VERIFY_MATCH 0x00000002 | 50 | #define DNS_VERIFY_MATCH 0x00000002 |
51 | #define DNS_VERIFY_SECURE 0x00000004 | 51 | #define DNS_VERIFY_SECURE 0x00000004 |
52 | #define DNS_VERIFY_MISSING 0x00000008 | ||
53 | 52 | ||
54 | int verify_host_key_dns(const char *, struct sockaddr *, | 53 | int verify_host_key_dns(const char *, struct sockaddr *, |
55 | struct sshkey *, int *); | 54 | struct sshkey *, int *); |
diff --git a/sshconnect.c b/sshconnect.c index 608566207..dc7a704d2 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -83,7 +83,6 @@ extern uid_t original_effective_uid; | |||
83 | 83 | ||
84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); |
85 | static void warn_changed_key(struct sshkey *); | 85 | static void warn_changed_key(struct sshkey *); |
86 | static void warn_missing_key(struct sshkey *); | ||
87 | 86 | ||
88 | /* Expand a proxy command */ | 87 | /* Expand a proxy command */ |
89 | static char * | 88 | static char * |
@@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
871 | free(ra); | 870 | free(ra); |
872 | free(fp); | 871 | free(fp); |
873 | } | 872 | } |
874 | if (options.verify_host_key_dns && | ||
875 | options.strict_host_key_checking && | ||
876 | !matching_host_key_dns) { | ||
877 | snprintf(msg, sizeof(msg), | ||
878 | "Are you sure you want to continue connecting " | ||
879 | "(yes/no)? "); | ||
880 | if (!confirm(msg)) | ||
881 | goto fail; | ||
882 | msg[0] = '\0'; | ||
883 | } | ||
884 | hostkey_trusted = 1; | 873 | hostkey_trusted = 1; |
885 | break; | 874 | break; |
886 | case HOST_NEW: | 875 | case HOST_NEW: |
@@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | |||
1282 | if (flags & DNS_VERIFY_MATCH) { | 1271 | if (flags & DNS_VERIFY_MATCH) { |
1283 | matching_host_key_dns = 1; | 1272 | matching_host_key_dns = 1; |
1284 | } else { | 1273 | } else { |
1285 | if (flags & DNS_VERIFY_MISSING) { | 1274 | warn_changed_key(plain); |
1286 | warn_missing_key(plain); | 1275 | error("Update the SSHFP RR in DNS " |
1287 | error("Add this host key to " | 1276 | "with the new host key to get rid " |
1288 | "the SSHFP RR in DNS to get rid " | 1277 | "of this message."); |
1289 | "of this message."); | ||
1290 | } else { | ||
1291 | warn_changed_key(plain); | ||
1292 | error("Update the SSHFP RR in DNS " | ||
1293 | "with the new host key to get rid " | ||
1294 | "of this message."); | ||
1295 | } | ||
1296 | } | 1278 | } |
1297 | } | 1279 | } |
1298 | } | 1280 | } |
@@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key) | |||
1424 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 1406 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
1425 | error("It is also possible that a host key has just been changed."); | 1407 | error("It is also possible that a host key has just been changed."); |
1426 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | 1408 | error("The fingerprint for the %s key sent by the remote host is\n%s.", |
1427 | sshkey_type(host_key), fp); | 1409 | key_type(host_key), fp); |
1428 | error("Please contact your system administrator."); | 1410 | error("Please contact your system administrator."); |
1429 | 1411 | ||
1430 | free(fp); | 1412 | free(fp); |
1431 | } | 1413 | } |
1432 | 1414 | ||
1433 | static void | ||
1434 | warn_missing_key(struct sshkey *host_key) | ||
1435 | { | ||
1436 | char *fp; | ||
1437 | |||
1438 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | ||
1439 | SSH_FP_DEFAULT); | ||
1440 | if (fp == NULL) | ||
1441 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
1442 | |||
1443 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1444 | error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); | ||
1445 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1446 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
1447 | sshkey_type(host_key), fp); | ||
1448 | error("Please contact your system administrator."); | ||
1449 | |||
1450 | free(fp); | ||
1451 | } | ||
1452 | /* | 1415 | /* |
1453 | * Execute a local command | 1416 | * Execute a local command |
1454 | */ | 1417 | */ |