[openssh-commits] [openssh] 01/01: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Sep 14 14:33:10 AEST 2017
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba
Author: djm at openbsd.org <djm at openbsd.org>
Date: Thu Sep 14 04:32:21 2017 +0000
upstream commit
Revert commitid: gJtIN6rRTS3CHy9b.
-------------
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
-------------
This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
are missing but the user already has the key in known_hosts
Spotted by dtucker@
Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
---
dns.c | 14 ++++++--------
dns.h | 3 +--
sshconnect.c | 49 ++++++-------------------------------------------
3 files changed, 13 insertions(+), 53 deletions(-)
diff --git a/dns.c b/dns.c
index 9152e864..6e1abb53 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -294,19 +294,17 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
free(dnskey_digest);
}
- if (*flags & DNS_VERIFY_FOUND) {
+ free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+ freerrset(fingerprints);
+
+ if (*flags & DNS_VERIFY_FOUND)
if (*flags & DNS_VERIFY_MATCH)
debug("matching host key fingerprint found in DNS");
- else if (counter == fingerprints->rri_nrdatas)
- *flags |= DNS_VERIFY_MISSING;
else
debug("mismatching host key fingerprint found in DNS");
- } else
+ else
debug("no host key fingerprint found in DNS");
- free(hostkey_digest); /* from sshkey_fingerprint_raw() */
- freerrset(fingerprints);
-
return 0;
}
diff --git a/dns.h b/dns.h
index 6bb8c793..68443f7c 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -49,7 +49,6 @@ enum sshfp_hashes {
#define DNS_VERIFY_FOUND 0x00000001
#define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004
-#define DNS_VERIFY_MISSING 0x00000008
int verify_host_key_dns(const char *, struct sockaddr *,
struct sshkey *, int *);
diff --git a/sshconnect.c b/sshconnect.c
index 60856620..dc7a704d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -83,7 +83,6 @@ extern uid_t original_effective_uid;
static int show_other_keys(struct hostkeys *, struct sshkey *);
static void warn_changed_key(struct sshkey *);
-static void warn_missing_key(struct sshkey *);
/* Expand a proxy command */
static char *
@@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
free(ra);
free(fp);
}
- if (options.verify_host_key_dns &&
- options.strict_host_key_checking &&
- !matching_host_key_dns) {
- snprintf(msg, sizeof(msg),
- "Are you sure you want to continue connecting "
- "(yes/no)? ");
- if (!confirm(msg))
- goto fail;
- msg[0] = '\0';
- }
hostkey_trusted = 1;
break;
case HOST_NEW:
@@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
if (flags & DNS_VERIFY_MATCH) {
matching_host_key_dns = 1;
} else {
- if (flags & DNS_VERIFY_MISSING) {
- warn_missing_key(plain);
- error("Add this host key to "
- "the SSHFP RR in DNS to get rid "
- "of this message.");
- } else {
- warn_changed_key(plain);
- error("Update the SSHFP RR in DNS "
- "with the new host key to get rid "
- "of this message.");
- }
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
}
}
}
@@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key)
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
error("The fingerprint for the %s key sent by the remote host is\n%s.",
- sshkey_type(host_key), fp);
+ key_type(host_key), fp);
error("Please contact your system administrator.");
free(fp);
}
-static void
-warn_missing_key(struct sshkey *host_key)
-{
- char *fp;
-
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
- SSH_FP_DEFAULT);
- if (fp == NULL)
- fatal("%s: sshkey_fingerprint fail", __func__);
-
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @");
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- sshkey_type(host_key), fp);
- error("Please contact your system administrator.");
-
- free(fp);
-}
/*
* Execute a local command
*/
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list