diff options
-rw-r--r-- | dns.c | 14 | ||||
-rw-r--r-- | dns.h | 3 | ||||
-rw-r--r-- | sshconnect.c | 49 |
3 files changed, 53 insertions, 13 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ | 1 | /* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
@@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
294 | free(dnskey_digest); | 294 | free(dnskey_digest); |
295 | } | 295 | } |
296 | 296 | ||
297 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ | 297 | if (*flags & DNS_VERIFY_FOUND) { |
298 | freerrset(fingerprints); | ||
299 | |||
300 | if (*flags & DNS_VERIFY_FOUND) | ||
301 | if (*flags & DNS_VERIFY_MATCH) | 298 | if (*flags & DNS_VERIFY_MATCH) |
302 | debug("matching host key fingerprint found in DNS"); | 299 | debug("matching host key fingerprint found in DNS"); |
300 | else if (counter == fingerprints->rri_nrdatas) | ||
301 | *flags |= DNS_VERIFY_MISSING; | ||
303 | else | 302 | else |
304 | debug("mismatching host key fingerprint found in DNS"); | 303 | debug("mismatching host key fingerprint found in DNS"); |
305 | else | 304 | } else |
306 | debug("no host key fingerprint found in DNS"); | 305 | debug("no host key fingerprint found in DNS"); |
307 | 306 | ||
307 | free(hostkey_digest); /* from sshkey_fingerprint_raw() */ | ||
308 | freerrset(fingerprints); | ||
309 | |||
308 | return 0; | 310 | return 0; |
309 | } | 311 | } |
310 | 312 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */ | 1 | /* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. | 4 | * Copyright (c) 2003 Wesley Griffin. All rights reserved. |
@@ -49,6 +49,7 @@ enum sshfp_hashes { | |||
49 | #define DNS_VERIFY_FOUND 0x00000001 | 49 | #define DNS_VERIFY_FOUND 0x00000001 |
50 | #define DNS_VERIFY_MATCH 0x00000002 | 50 | #define DNS_VERIFY_MATCH 0x00000002 |
51 | #define DNS_VERIFY_SECURE 0x00000004 | 51 | #define DNS_VERIFY_SECURE 0x00000004 |
52 | #define DNS_VERIFY_MISSING 0x00000008 | ||
52 | 53 | ||
53 | int verify_host_key_dns(const char *, struct sockaddr *, | 54 | int verify_host_key_dns(const char *, struct sockaddr *, |
54 | struct sshkey *, int *); | 55 | struct sshkey *, int *); |
diff --git a/sshconnect.c b/sshconnect.c index aaae5fc9f..4013ec7db 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -83,6 +83,7 @@ extern uid_t original_effective_uid; | |||
83 | 83 | ||
84 | static int show_other_keys(struct hostkeys *, struct sshkey *); | 84 | static int show_other_keys(struct hostkeys *, struct sshkey *); |
85 | static void warn_changed_key(struct sshkey *); | 85 | static void warn_changed_key(struct sshkey *); |
86 | static void warn_missing_key(struct sshkey *); | ||
86 | 87 | ||
87 | /* Expand a proxy command */ | 88 | /* Expand a proxy command */ |
88 | static char * | 89 | static char * |
@@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
864 | free(ra); | 865 | free(ra); |
865 | free(fp); | 866 | free(fp); |
866 | } | 867 | } |
868 | if (options.verify_host_key_dns && | ||
869 | options.strict_host_key_checking && | ||
870 | !matching_host_key_dns) { | ||
871 | snprintf(msg, sizeof(msg), | ||
872 | "Are you sure you want to continue connecting " | ||
873 | "(yes/no)? "); | ||
874 | if (!confirm(msg)) | ||
875 | goto fail; | ||
876 | msg[0] = '\0'; | ||
877 | } | ||
867 | hostkey_trusted = 1; | 878 | hostkey_trusted = 1; |
868 | break; | 879 | break; |
869 | case HOST_NEW: | 880 | case HOST_NEW: |
@@ -1259,10 +1270,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) | |||
1259 | if (flags & DNS_VERIFY_MATCH) { | 1270 | if (flags & DNS_VERIFY_MATCH) { |
1260 | matching_host_key_dns = 1; | 1271 | matching_host_key_dns = 1; |
1261 | } else { | 1272 | } else { |
1262 | warn_changed_key(plain); | 1273 | if (flags & DNS_VERIFY_MISSING) { |
1263 | error("Update the SSHFP RR in DNS " | 1274 | warn_missing_key(plain); |
1264 | "with the new host key to get rid " | 1275 | error("Add this host key to " |
1265 | "of this message."); | 1276 | "the SSHFP RR in DNS to get rid " |
1277 | "of this message."); | ||
1278 | } else { | ||
1279 | warn_changed_key(plain); | ||
1280 | error("Update the SSHFP RR in DNS " | ||
1281 | "with the new host key to get rid " | ||
1282 | "of this message."); | ||
1283 | } | ||
1266 | } | 1284 | } |
1267 | } | 1285 | } |
1268 | } | 1286 | } |
@@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key) | |||
1394 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 1412 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
1395 | error("It is also possible that a host key has just been changed."); | 1413 | error("It is also possible that a host key has just been changed."); |
1396 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | 1414 | error("The fingerprint for the %s key sent by the remote host is\n%s.", |
1397 | key_type(host_key), fp); | 1415 | sshkey_type(host_key), fp); |
1398 | error("Please contact your system administrator."); | 1416 | error("Please contact your system administrator."); |
1399 | 1417 | ||
1400 | free(fp); | 1418 | free(fp); |
1401 | } | 1419 | } |
1402 | 1420 | ||
1421 | static void | ||
1422 | warn_missing_key(struct sshkey *host_key) | ||
1423 | { | ||
1424 | char *fp; | ||
1425 | |||
1426 | fp = sshkey_fingerprint(host_key, options.fingerprint_hash, | ||
1427 | SSH_FP_DEFAULT); | ||
1428 | if (fp == NULL) | ||
1429 | fatal("%s: sshkey_fingerprint fail", __func__); | ||
1430 | |||
1431 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1432 | error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); | ||
1433 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | ||
1434 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
1435 | sshkey_type(host_key), fp); | ||
1436 | error("Please contact your system administrator."); | ||
1437 | |||
1438 | free(fp); | ||
1439 | } | ||
1403 | /* | 1440 | /* |
1404 | * Execute a local command | 1441 | * Execute a local command |
1405 | */ | 1442 | */ |