[openssh-commits] [openssh] 01/01: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Sep 14 14:33:10 AEST 2017


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit aea59a0d9f120f2a87c7f494a0d9c51eaa79b8ba
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Sep 14 04:32:21 2017 +0000

    upstream commit
    
    Revert commitid: gJtIN6rRTS3CHy9b.
    
    -------------
    identify the case where SSHFP records are missing but other DNS RR
    types are present and display a more useful error message for this
    case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
    -------------
    
    This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results
    are missing but the user already has the key in known_hosts
    
    Spotted by dtucker@
    
    Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
---
 dns.c        | 14 ++++++--------
 dns.h        |  3 +--
 sshconnect.c | 49 ++++++-------------------------------------------
 3 files changed, 13 insertions(+), 53 deletions(-)

diff --git a/dns.c b/dns.c
index 9152e864..6e1abb53 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -294,19 +294,17 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 		free(dnskey_digest);
 	}
 
-	if (*flags & DNS_VERIFY_FOUND) {
+	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+	freerrset(fingerprints);
+
+	if (*flags & DNS_VERIFY_FOUND)
 		if (*flags & DNS_VERIFY_MATCH)
 			debug("matching host key fingerprint found in DNS");
-		else if (counter == fingerprints->rri_nrdatas)
-			*flags |= DNS_VERIFY_MISSING;
 		else
 			debug("mismatching host key fingerprint found in DNS");
-	} else
+	else
 		debug("no host key fingerprint found in DNS");
 
-	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
-	freerrset(fingerprints);
-
 	return 0;
 }
 
diff --git a/dns.h b/dns.h
index 6bb8c793..68443f7c 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -49,7 +49,6 @@ enum sshfp_hashes {
 #define DNS_VERIFY_FOUND	0x00000001
 #define DNS_VERIFY_MATCH	0x00000002
 #define DNS_VERIFY_SECURE	0x00000004
-#define DNS_VERIFY_MISSING	0x00000008
 
 int	verify_host_key_dns(const char *, struct sockaddr *,
     struct sshkey *, int *);
diff --git a/sshconnect.c b/sshconnect.c
index 60856620..dc7a704d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -83,7 +83,6 @@ extern uid_t original_effective_uid;
 
 static int show_other_keys(struct hostkeys *, struct sshkey *);
 static void warn_changed_key(struct sshkey *);
-static void warn_missing_key(struct sshkey *);
 
 /* Expand a proxy command */
 static char *
@@ -871,16 +870,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
 			free(ra);
 			free(fp);
 		}
-		if (options.verify_host_key_dns &&
-		    options.strict_host_key_checking &&
-		    !matching_host_key_dns) {
-			snprintf(msg, sizeof(msg),
-			    "Are you sure you want to continue connecting "
-			    "(yes/no)? ");
-			if (!confirm(msg))
-				goto fail;
-			msg[0] = '\0';
-		}
 		hostkey_trusted = 1;
 		break;
 	case HOST_NEW:
@@ -1282,17 +1271,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
 				if (flags & DNS_VERIFY_MATCH) {
 					matching_host_key_dns = 1;
 				} else {
-					if (flags & DNS_VERIFY_MISSING) {
-						warn_missing_key(plain);
-						error("Add this host key to "
-						    "the SSHFP RR in DNS to get rid "
-						    "of this message.");
-					} else {
-						warn_changed_key(plain);
-						error("Update the SSHFP RR in DNS "
-						    "with the new host key to get rid "
-						    "of this message.");
-					}
+					warn_changed_key(plain);
+					error("Update the SSHFP RR in DNS "
+					    "with the new host key to get rid "
+					    "of this message.");
 				}
 			}
 		}
@@ -1424,31 +1406,12 @@ warn_changed_key(struct sshkey *host_key)
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
 	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    sshkey_type(host_key), fp);
+	    key_type(host_key), fp);
 	error("Please contact your system administrator.");
 
 	free(fp);
 }
 
-static void
-warn_missing_key(struct sshkey *host_key)
-{
-	char *fp;
-
-	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
-	    SSH_FP_DEFAULT);
-	if (fp == NULL)
-		fatal("%s: sshkey_fingerprint fail", __func__);
-
-	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-	error("@    WARNING: REMOTE HOST IDENTIFICATION IS MISSING       @");
-	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    sshkey_type(host_key), fp);
-	error("Please contact your system administrator.");
-
-	free(fp);
-}
 /*
  * Execute a local command
  */

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list