[openssh-commits] [openssh] 06/08: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Sep 4 09:39:07 AEST 2017
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit b828605d51f57851316d7ba402b4ae06cf37c55d
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri Sep 1 05:53:56 2017 +0000
upstream commit
identify the case where SSHFP records are missing but
other DNS RR types are present and display a more useful error message for
this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
---
dns.c | 14 ++++++++------
dns.h | 3 ++-
sshconnect.c | 49 +++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 53 insertions(+), 13 deletions(-)
diff --git a/dns.c b/dns.c
index e813afea..9152e864 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
free(dnskey_digest);
}
- free(hostkey_digest); /* from sshkey_fingerprint_raw() */
- freerrset(fingerprints);
-
- if (*flags & DNS_VERIFY_FOUND)
+ if (*flags & DNS_VERIFY_FOUND) {
if (*flags & DNS_VERIFY_MATCH)
debug("matching host key fingerprint found in DNS");
+ else if (counter == fingerprints->rri_nrdatas)
+ *flags |= DNS_VERIFY_MISSING;
else
debug("mismatching host key fingerprint found in DNS");
- else
+ } else
debug("no host key fingerprint found in DNS");
+ free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+ freerrset(fingerprints);
+
return 0;
}
diff --git a/dns.h b/dns.h
index 30e2b19b..6bb8c793 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -49,6 +49,7 @@ enum sshfp_hashes {
#define DNS_VERIFY_FOUND 0x00000001
#define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004
+#define DNS_VERIFY_MISSING 0x00000008
int verify_host_key_dns(const char *, struct sockaddr *,
struct sshkey *, int *);
diff --git a/sshconnect.c b/sshconnect.c
index aaae5fc9..4013ec7d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -83,6 +83,7 @@ extern uid_t original_effective_uid;
static int show_other_keys(struct hostkeys *, struct sshkey *);
static void warn_changed_key(struct sshkey *);
+static void warn_missing_key(struct sshkey *);
/* Expand a proxy command */
static char *
@@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
free(ra);
free(fp);
}
+ if (options.verify_host_key_dns &&
+ options.strict_host_key_checking &&
+ !matching_host_key_dns) {
+ snprintf(msg, sizeof(msg),
+ "Are you sure you want to continue connecting "
+ "(yes/no)? ");
+ if (!confirm(msg))
+ goto fail;
+ msg[0] = '\0';
+ }
hostkey_trusted = 1;
break;
case HOST_NEW:
@@ -1259,10 +1270,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1;
} else {
- warn_changed_key(plain);
- error("Update the SSHFP RR in DNS "
- "with the new host key to get rid "
- "of this message.");
+ if (flags & DNS_VERIFY_MISSING) {
+ warn_missing_key(plain);
+ error("Add this host key to "
+ "the SSHFP RR in DNS to get rid "
+ "of this message.");
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
}
@@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key)
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
- key_type(host_key), fp);
+ sshkey_type(host_key), fp);
error("Please contact your system administrator.");
free(fp);
}
+static void
+warn_missing_key(struct sshkey *host_key)
+{
+ char *fp;
+
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
+ SSH_FP_DEFAULT);
+ if (fp == NULL)
+ fatal("%s: sshkey_fingerprint fail", __func__);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("The fingerprint for the %s key sent by the remote host is\n%s.",
+ sshkey_type(host_key), fp);
+ error("Please contact your system administrator.");
+
+ free(fp);
+}
/*
* Execute a local command
*/
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list