diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-09-01 05:53:56 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-09-04 09:38:57 +1000 |
| commit | b828605d51f57851316d7ba402b4ae06cf37c55d (patch) | |
| tree | cec2c9c32c860e87c7a643aea1abd6c587dcd5de | |
| parent | 8042bad97e2789a50e8f742c3bcd665ebf0add32 (diff) | |
upstream commit
identify the case where SSHFP records are missing but
other DNS RR types are present and display a more useful error message for
this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
Upstream-ID: 8f7a5a8344f684823d8317a9708b63e75be2c244
| -rw-r--r-- | dns.c | 14 | ||||
| -rw-r--r-- | dns.h | 3 | ||||
| -rw-r--r-- | sshconnect.c | 49 |
3 files changed, 53 insertions, 13 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -294,17 +294,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, free(dnskey_digest); } - free(hostkey_digest); /* from sshkey_fingerprint_raw() */ - freerrset(fingerprints); - - if (*flags & DNS_VERIFY_FOUND) + if (*flags & DNS_VERIFY_FOUND) { if (*flags & DNS_VERIFY_MATCH) debug("matching host key fingerprint found in DNS"); + else if (counter == fingerprints->rri_nrdatas) + *flags |= DNS_VERIFY_MISSING; else debug("mismatching host key fingerprint found in DNS"); - else + } else debug("no host key fingerprint found in DNS"); + free(hostkey_digest); /* from sshkey_fingerprint_raw() */ + freerrset(fingerprints); + return 0; } @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */ +/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -49,6 +49,7 @@ enum sshfp_hashes { #define DNS_VERIFY_FOUND 0x00000001 #define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_SECURE 0x00000004 +#define DNS_VERIFY_MISSING 0x00000008 int verify_host_key_dns(const char *, struct sockaddr *, struct sshkey *, int *); diff --git a/sshconnect.c b/sshconnect.c index aaae5fc9..4013ec7d 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -83,6 +83,7 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, struct sshkey *); static void warn_changed_key(struct sshkey *); +static void warn_missing_key(struct sshkey *); /* Expand a proxy command */ static char * @@ -864,6 +865,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, free(ra); free(fp); } + if (options.verify_host_key_dns && + options.strict_host_key_checking && + !matching_host_key_dns) { + snprintf(msg, sizeof(msg), + "Are you sure you want to continue connecting " + "(yes/no)? "); + if (!confirm(msg)) + goto fail; + msg[0] = '\0'; + } hostkey_trusted = 1; break; case HOST_NEW: @@ -1259,10 +1270,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) if (flags & DNS_VERIFY_MATCH) { matching_host_key_dns = 1; } else { - warn_changed_key(plain); - error("Update the SSHFP RR in DNS " - "with the new host key to get rid " - "of this message."); + if (flags & DNS_VERIFY_MISSING) { + warn_missing_key(plain); + error("Add this host key to " + "the SSHFP RR in DNS to get rid " + "of this message."); + } else { + warn_changed_key(plain); + error("Update the SSHFP RR in DNS " + "with the new host key to get rid " + "of this message."); + } } } } @@ -1394,12 +1412,31 @@ warn_changed_key(struct sshkey *host_key) error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", - key_type(host_key), fp); + sshkey_type(host_key), fp); error("Please contact your system administrator."); free(fp); } +static void +warn_missing_key(struct sshkey *host_key) +{ + char *fp; + + fp = sshkey_fingerprint(host_key, options.fingerprint_hash, + SSH_FP_DEFAULT); + if (fp == NULL) + fatal("%s: sshkey_fingerprint fail", __func__); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("The fingerprint for the %s key sent by the remote host is\n%s.", + sshkey_type(host_key), fp); + error("Please contact your system administrator."); + + free(fp); +} /* * Execute a local command */ |