diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2020-10-07 02:24:52 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2020-10-07 02:24:52 +0000 |
| commit | b7ba77f1455ec9dac156e72bcea75bb483973862 (patch) | |
| tree | adab4a484533ef9ce0360c07e5de5fa23e1469a7 /usr.bin/ssh | |
| parent | 1e887f08631c37a76f67e262885daa0355b86e6c (diff) | |
don't UpdateHostkeys when the hostkey is verified by the
GlobalKnownHostsFile file, support only UserKnownHostsFile matches
suggested by Mark D. Baushke; feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 18e26a3a0c3..36f0f433332 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.337 2020/10/07 02:22:23 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.338 2020/10/07 02:24:51 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -653,6 +653,19 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, } } +/* returns non-zero if path appears in hostfiles, or 0 if not. */ +static int +path_in_hostfiles(const char *path, char **hostfiles, u_int num_hostfiles) +{ + u_int i; + + for (i = 0; i < num_hostfiles; i++) { + if (strcmp(path, hostfiles[i]) == 0) + return 1; + } + return 0; +} + /* * check whether the supplied host key is valid, return -1 if the key * is not valid. user_hostfile[0] will not be updated if 'readonly' is true. @@ -666,14 +679,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, char **user_hostfiles, u_int num_user_hostfiles, char **system_hostfiles, u_int num_system_hostfiles) { - HostStatus host_status; - HostStatus ip_status; + HostStatus host_status = -1, ip_status = -1; struct sshkey *raw_key = NULL; char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; char msg[1024]; const char *type; - const struct hostkey_entry *host_found, *ip_found; + const struct hostkey_entry *host_found = NULL, *ip_found = NULL; int len, cancelled_forwarding = 0, confirmed; int local = sockaddr_is_local(hostaddr); int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; @@ -693,6 +705,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.host_key_alias == NULL) { debug("Forcing accepting of host key for " "loopback/localhost."); + options.update_hostkeys = 0; return 0; } @@ -764,6 +777,17 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, !check_host_cert(options.host_key_alias == NULL ? hostname : options.host_key_alias, host_key)) goto fail; + /* Turn off UpdateHostkeys if key was in system known_hosts */ + if (options.update_hostkeys != 0 && + (path_in_hostfiles(host_found->file, + system_hostfiles, num_system_hostfiles) || + (ip_status == HOST_OK && ip_found != NULL && + path_in_hostfiles(ip_found->file, + system_hostfiles, num_system_hostfiles)))) { + options.update_hostkeys = 0; + debug3("%s: host key found in GlobalKnownHostsFile; " + "disabling UpdateHostkeys", __func__); + } if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) logit("%s host key for IP address " |