ServerLiesWarning
Mordechai T. Abzug
morty at frakir.org
Tue Nov 4 19:07:50 EST 2003
I'm trying to replace some sshv1 clients and servers in a modular way,
and the "Server Lies" warning (when the server says the key has one
more bit than it really has) is causing heartache. Per the FAQ, this
is relatively benign. Here's a patch that allows an admin or user to
disable the warning.
- Morty
diff -Nur openssh-3.7.1p2/readconf.c openssh-3.7.1p2-serverlieswarning/readconf.c
--- openssh-3.7.1p2/readconf.c 2003-09-02 08:58:22.000000000 -0400
+++ openssh-3.7.1p2-serverlieswarning/readconf.c 2003-11-04 02:32:50.000000000 -0500
@@ -104,7 +104,7 @@
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerLiesWarning,
oDeprecated, oUnsupported
} OpCodes;
@@ -166,6 +166,7 @@
{ "batchmode", oBatchMode },
{ "checkhostip", oCheckHostIP },
{ "stricthostkeychecking", oStrictHostKeyChecking },
+ { "serverlieswarning", oServerLiesWarning },
{ "compression", oCompression },
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
@@ -402,6 +403,10 @@
intptr = &options->verify_host_key_dns;
goto parse_flag;
+ case oServerLiesWarning:
+ intptr = &options->server_lies_warning;
+ goto parse_flag;
+
case oStrictHostKeyChecking:
intptr = &options->strict_host_key_checking;
arg = strdelim(&s);
@@ -856,6 +861,7 @@
options->no_host_authentication_for_localhost = - 1;
options->rekey_limit = - 1;
options->verify_host_key_dns = -1;
+ options->server_lies_warning = -1;
}
/*
@@ -968,6 +974,8 @@
options->rekey_limit = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+ if (options->server_lies_warning == -1)
+ options->server_lies_warning = 1;
/* options->proxy_command should not be set by default */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
diff -Nur openssh-3.7.1p2/readconf.h openssh-3.7.1p2-serverlieswarning/readconf.h
--- openssh-3.7.1p2/readconf.h 2003-09-02 08:58:22.000000000 -0400
+++ openssh-3.7.1p2-serverlieswarning/readconf.h 2003-11-04 02:19:21.000000000 -0500
@@ -82,6 +82,7 @@
char *bind_address; /* local socket address for connection to sshd */
char *smartcard_device; /* Smartcard reader device */
int verify_host_key_dns; /* Verify host key using DNS */
+ int server_lies_warning; /* display warning about server lying */
int num_identity_files; /* Number of files for RSA/DSA identities. */
char *identity_files[SSH_MAX_IDENTITY_FILES];
diff -Nur openssh-3.7.1p2/ssh_config.5 openssh-3.7.1p2-serverlieswarning/ssh_config.5
--- openssh-3.7.1p2/ssh_config.5 2003-09-02 22:13:30.000000000 -0400
+++ openssh-3.7.1p2-serverlieswarning/ssh_config.5 2003-11-04 02:45:47.000000000 -0500
@@ -553,6 +553,12 @@
The default is
.Dq yes .
Note that this option applies to protocol version 1 only.
+.It Cm ServerLiesWarning
+Specifies whether or not the client should display the "Server lies" warning
+when the server claims that a key is one bit longer than it is.
+The default is
+.Dq yes .
+Disabling this allows better compatibility with older ssh versions.
.It Cm SmartcardDevice
Specifies which smartcard device to use.
The argument to this keyword is the device
diff -Nur openssh-3.7.1p2/sshconnect1.c openssh-3.7.1p2-serverlieswarning/sshconnect1.c
--- openssh-3.7.1p2/sshconnect1.c 2003-09-02 08:51:17.000000000 -0400
+++ openssh-3.7.1p2-serverlieswarning/sshconnect1.c 2003-11-04 02:29:50.000000000 -0500
@@ -494,7 +494,8 @@
packet_get_bignum(server_key->rsa->n);
rbits = BN_num_bits(server_key->rsa->n);
- if (bits != rbits) {
+ if (bits == rbits + 1 && ! options.server_lies_warning) {
+ } else if (bits != rbits) {
logit("Warning: Server lies about size of server public key: "
"actual size is %d bits vs. announced %d.", rbits, bits);
logit("Warning: This may be due to an old implementation of ssh.");
@@ -506,7 +507,8 @@
packet_get_bignum(host_key->rsa->n);
rbits = BN_num_bits(host_key->rsa->n);
- if (bits != rbits) {
+ if (bits == rbits + 1 && ! options.server_lies_warning) {
+ } else if (bits != rbits) {
logit("Warning: Server lies about size of server host key: "
"actual size is %d bits vs. announced %d.", rbits, bits);
logit("Warning: This may be due to an old implementation of ssh.");
More information about the openssh-unix-dev
mailing list