diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2017-09-01 05:53:57 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2017-09-01 05:53:57 +0000 |
| commit | 7d02c1c7b1c5dd6c940c35e26d7b582012c627af (patch) | |
| tree | ed81c7b29041a95d2267884f76d22de7cba626eb | |
| parent | 99b0620b2e50ff533ccf32ebd1f79d8256c2eee7 (diff) | |
identify the case where SSHFP records are missing but other DNS RR
types are present and display a more useful error message for this
case; patch by Thordur Bjornsson; bz#2501; ok dtucker@
| -rw-r--r-- | usr.bin/ssh/dns.c | 14 | ||||
| -rw-r--r-- | usr.bin/ssh/dns.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 49 |
3 files changed, 53 insertions, 13 deletions
diff --git a/usr.bin/ssh/dns.c b/usr.bin/ssh/dns.c index 301d65c5a88..b54a52d4f93 100644 --- a/usr.bin/ssh/dns.c +++ b/usr.bin/ssh/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -291,17 +291,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, free(dnskey_digest); } - free(hostkey_digest); /* from sshkey_fingerprint_raw() */ - freerrset(fingerprints); - - if (*flags & DNS_VERIFY_FOUND) + if (*flags & DNS_VERIFY_FOUND) { if (*flags & DNS_VERIFY_MATCH) debug("matching host key fingerprint found in DNS"); + else if (counter == fingerprints->rri_nrdatas) + *flags |= DNS_VERIFY_MISSING; else debug("mismatching host key fingerprint found in DNS"); - else + } else debug("no host key fingerprint found in DNS"); + free(hostkey_digest); /* from sshkey_fingerprint_raw() */ + freerrset(fingerprints); + return 0; } diff --git a/usr.bin/ssh/dns.h b/usr.bin/ssh/dns.h index 30e2b19b3d9..6bb8c7933df 100644 --- a/usr.bin/ssh/dns.h +++ b/usr.bin/ssh/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */ +/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -49,6 +49,7 @@ enum sshfp_hashes { #define DNS_VERIFY_FOUND 0x00000001 #define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_SECURE 0x00000004 +#define DNS_VERIFY_MISSING 0x00000008 int verify_host_key_dns(const char *, struct sockaddr *, struct sshkey *, int *); diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 51ab7c6e8de..7dad4f418de 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.283 2017/07/01 13:50:45 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -71,6 +71,7 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, struct sshkey *); static void warn_changed_key(struct sshkey *); +static void warn_missing_key(struct sshkey *); /* Expand a proxy command */ static char * @@ -836,6 +837,16 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, free(ra); free(fp); } + if (options.verify_host_key_dns && + options.strict_host_key_checking && + !matching_host_key_dns) { + snprintf(msg, sizeof(msg), + "Are you sure you want to continue connecting " + "(yes/no)? "); + if (!confirm(msg)) + goto fail; + msg[0] = '\0'; + } hostkey_trusted = 1; break; case HOST_NEW: @@ -1231,10 +1242,17 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) if (flags & DNS_VERIFY_MATCH) { matching_host_key_dns = 1; } else { - warn_changed_key(plain); - error("Update the SSHFP RR in DNS " - "with the new host key to get rid " - "of this message."); + if (flags & DNS_VERIFY_MISSING) { + warn_missing_key(plain); + error("Add this host key to " + "the SSHFP RR in DNS to get rid " + "of this message."); + } else { + warn_changed_key(plain); + error("Update the SSHFP RR in DNS " + "with the new host key to get rid " + "of this message."); + } } } } @@ -1366,12 +1384,31 @@ warn_changed_key(struct sshkey *host_key) error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", - key_type(host_key), fp); + sshkey_type(host_key), fp); error("Please contact your system administrator."); free(fp); } +static void +warn_missing_key(struct sshkey *host_key) +{ + char *fp; + + fp = sshkey_fingerprint(host_key, options.fingerprint_hash, + SSH_FP_DEFAULT); + if (fp == NULL) + fatal("%s: sshkey_fingerprint fail", __func__); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("The fingerprint for the %s key sent by the remote host is\n%s.", + sshkey_type(host_key), fp); + error("Please contact your system administrator."); + + free(fp); +} /* * Execute a local command */ |