[openssh-commits] [openssh] 06/08: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Sep 4 09:39:07 AEST 2017 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b828605d51f57851316d7ba402b4ae06cf37c55d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Sep 1 05:53:56 2017 +0000

    upstream commit
    
    identify the case where SSHFP records are missing but
    other DNS RR types are present and display a more useful error message for
    this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
    
    Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
---
 dns.c        | 14 ++++++++------
 dns.h        |  3 ++-
 sshconnect.c | 49 +++++++++++++++++++++++++++++++++++++++++++------
 3 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/dns.c b/dns.c
index e813afea..9152e864 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		free(dnskey_digest);
 	}
 
-	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
-	freerrset(fingerprints);
-
-	if (*flags & DNS_VERIFY_FOUND)
+	if (*flags & DNS_VERIFY_FOUND) {
 		if (*flags & DNS_VERIFY_MATCH)
 			debug("matching host key fingerprint found in DNS");
+		else if (counter == fingerprints->rri_nrdatas)
+			*flags |= DNS_VERIFY_MISSING;
 		else
 			debug("mismatching host key fingerprint found in DNS");
-	else
+	} else
 		debug("no host key fingerprint found in DNS");
 
+	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+	freerrset(fingerprints);
+
 	return 0;
 }
 
diff --git a/dns.h b/dns.h
index 30e2b19b..6bb8c793 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -49,6 +49,7 @@ enum sshfp_hashes {
 #define DNS_VERIFY_FOUND	0x00000001
 #define DNS_VERIFY_MATCH	0x00000002
 #define DNS_VERIFY_SECURE	0x00000004
+#define DNS_VERIFY_MISSING	0x00000008
 
 int	verify_host_key_dns(const char *, struct sockaddr *,
     struct sshkey *, int *);
diff --git a/sshconnect.c b/sshconnect.c
index aaae5fc9..4013ec7d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -83,6 +83,7 @@ extern uid_t original_effective_uid;
 
 static int show_other_keys(struct hostkeys *, struct sshkey *);
 static void warn_changed_key(struct sshkey *);
+static void warn_missing_key(struct sshkey *);
 
 /* Expand a proxy command */
 static char *
@@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
 			free(ra);
 			free(fp);
 		}
+		if (options.verify_host_key_dns &&
+		    options.strict_host_key_checking &&
+		    !matching_host_key_dns) {
+			snprintf(msg, sizeof(msg),
+			    "Are you sure you want to continue connecting "
+			    "(yes/no)? ");
+			if (!confirm(msg))
+				goto fail;
+			msg[0] = '\0';
+		}
 		hostkey_trusted = 1;
 		break;
 	case HOST_NEW:
@@ -1259,10 +1270,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
 				if (flags & DNS_VERIFY_MATCH) {
 					matching_host_key_dns = 1;
 				} else {
-					warn_changed_key(plain);
-					error("Update the SSHFP RR in DNS "
-					    "with the new host key to get rid "
-					    "of this message.");
+					if (flags & DNS_VERIFY_MISSING) {
+						warn_missing_key(plain);
+						error("Add this host key to "
+						    "the SSHFP RR in DNS to get rid "
+						    "of this message.");
+					} else {
+						warn_changed_key(plain);
+						error("Update the SSHFP RR in DNS "
+						    "with the new host key to get rid "
+						    "of this message.");
+					}
 				}
 			}
 		}
@@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key)
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
 	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    key_type(host_key), fp);
+	    sshkey_type(host_key), fp);
 	error("Please contact your system administrator.");
 
 	free(fp);
 }
 
+static void
+warn_missing_key(struct sshkey *host_key)
+{
+	char *fp;
+
+	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
+	    SSH_FP_DEFAULT);
+	if (fp == NULL)
+		fatal("%s: sshkey_fingerprint fail", __func__);
+
+	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	error("@    WARNING: REMOTE HOST IDENTIFICATION IS MISSING       @");
+	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	error("The fingerprint for the %s key sent by the remote host is\n%s.",
+	    sshkey_type(host_key), fp);
+	error("Please contact your system administrator.");
+
+	free(fp);
+}
 /*
  * Execute a local command
  */

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list