From f3cb3f7f84721dc12c6b73ccf62c867b82dac356 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 14 Sep 2017 04:32:22 +0000 Subject: Revert commitid: gJtIN6rRTS3CHy9b. ------------- identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ ------------- This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results are missing but the user already has the key in known_hosts Spotted by dtucker@ --- usr.bin/ssh/dns.c | 14 ++++++-------- usr.bin/ssh/dns.h | 3 +-- usr.bin/ssh/sshconnect.c | 49 ++++++------------------------------------------ 3 files changed, 13 insertions(+), 53 deletions(-) diff --git a/usr.bin/ssh/dns.c b/usr.bin/ssh/dns.c index b54a52d4f93..33d93a237b5 100644 --- a/usr.bin/ssh/dns.c +++ b/usr.bin/ssh/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.37 2017/09/14 04:32:21 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -291,19 +291,17 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, free(dnskey_digest); } - if (*flags & DNS_VERIFY_FOUND) { + free(hostkey_digest); /* from sshkey_fingerprint_raw() */ + freerrset(fingerprints); + + if (*flags & DNS_VERIFY_FOUND) if (*flags & DNS_VERIFY_MATCH) debug("matching host key fingerprint found in DNS"); - else if (counter == fingerprints->rri_nrdatas) - *flags |= DNS_VERIFY_MISSING; else debug("mismatching host key fingerprint found in DNS"); - } else + else debug("no host key fingerprint found in DNS"); - free(hostkey_digest); /* from sshkey_fingerprint_raw() */ - freerrset(fingerprints); - return 0; } diff --git a/usr.bin/ssh/dns.h b/usr.bin/ssh/dns.h index 6bb8c7933df..68443f7cbbb 100644 --- a/usr.bin/ssh/dns.h +++ b/usr.bin/ssh/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.16 2017/09/01 05:53:56 djm Exp $ */ +/* $OpenBSD: dns.h,v 1.17 2017/09/14 04:32:21 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -49,7 +49,6 @@ enum sshfp_hashes { #define DNS_VERIFY_FOUND 0x00000001 #define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_SECURE 0x00000004 -#define DNS_VERIFY_MISSING 0x00000008 int verify_host_key_dns(const char *, struct sockaddr *, struct sshkey *, int *); diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 3e726ad6d48..4d81e7ff273 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.286 2017/09/12 06:32:07 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.287 2017/09/14 04:32:21 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -71,7 +71,6 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, struct sshkey *); static void warn_changed_key(struct sshkey *); -static void warn_missing_key(struct sshkey *); /* Expand a proxy command */ static char * @@ -843,16 +842,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, free(ra); free(fp); } - if (options.verify_host_key_dns && - options.strict_host_key_checking && - !matching_host_key_dns) { - snprintf(msg, sizeof(msg), - "Are you sure you want to continue connecting " - "(yes/no)? "); - if (!confirm(msg)) - goto fail; - msg[0] = '\0'; - } hostkey_trusted = 1; break; case HOST_NEW: @@ -1254,17 +1243,10 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key) if (flags & DNS_VERIFY_MATCH) { matching_host_key_dns = 1; } else { - if (flags & DNS_VERIFY_MISSING) { - warn_missing_key(plain); - error("Add this host key to " - "the SSHFP RR in DNS to get rid " - "of this message."); - } else { - warn_changed_key(plain); - error("Update the SSHFP RR in DNS " - "with the new host key to get rid " - "of this message."); - } + warn_changed_key(plain); + error("Update the SSHFP RR in DNS " + "with the new host key to get rid " + "of this message."); } } } @@ -1396,31 +1378,12 @@ warn_changed_key(struct sshkey *host_key) error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", - sshkey_type(host_key), fp); + key_type(host_key), fp); error("Please contact your system administrator."); free(fp); } -static void -warn_missing_key(struct sshkey *host_key) -{ - char *fp; - - fp = sshkey_fingerprint(host_key, options.fingerprint_hash, - SSH_FP_DEFAULT); - if (fp == NULL) - fatal("%s: sshkey_fingerprint fail", __func__); - - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION IS MISSING @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("The fingerprint for the %s key sent by the remote host is\n%s.", - sshkey_type(host_key), fp); - error("Please contact your system administrator."); - - free(fp); -} /* * Execute a local command */ -- cgit v1.2.3