parent
7126dda63a
commit
dea4ec84f7
|
@ -0,0 +1,80 @@
|
||||||
|
diff --git a/ChangeLog b/ChangeLog
|
||||||
|
index 29d70ec..a0fb67e 100644
|
||||||
|
--- a/ChangeLog
|
||||||
|
+++ b/ChangeLog
|
||||||
|
@@ -1,3 +1,14 @@
|
||||||
|
+20140420
|
||||||
|
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
|
||||||
|
+ [sshconnect.c]
|
||||||
|
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
|
||||||
|
+ certificate keys to plain keys and attempt SSHFP resolution.
|
||||||
|
+
|
||||||
|
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||||
|
+ dialog by offering only certificate keys.
|
||||||
|
+
|
||||||
|
+ Reported by mcv21 AT cam.ac.uk
|
||||||
|
+
|
||||||
|
20131010
|
||||||
|
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||||
|
[dh.c dh.h]
|
||||||
|
diff --git a/sshconnect.c b/sshconnect.c
|
||||||
|
index f2ba1b2..f0fdc70 100644
|
||||||
|
--- a/sshconnect.c
|
||||||
|
+++ b/sshconnect.c
|
||||||
|
@@ -1137,30 +1137,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||||
|
{
|
||||||
|
int flags = 0;
|
||||||
|
char *fp;
|
||||||
|
+ Key *plain = NULL;
|
||||||
|
|
||||||
|
fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||||
|
debug("Server host key: %s %s%s", key_type(host_key),
|
||||||
|
key_fingerprint_prefix(), fp);
|
||||||
|
xfree(fp);
|
||||||
|
|
||||||
|
- /* XXX certs are not yet supported for DNS */
|
||||||
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||||
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||||
|
- if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
-
|
||||||
|
- if (options.verify_host_key_dns == 1 &&
|
||||||
|
- flags & DNS_VERIFY_MATCH &&
|
||||||
|
- flags & DNS_VERIFY_SECURE)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
- matching_host_key_dns = 1;
|
||||||
|
- } else {
|
||||||
|
- warn_changed_key(host_key);
|
||||||
|
- error("Update the SSHFP RR in DNS with the new "
|
||||||
|
- "host key to get rid of this message.");
|
||||||
|
+ if (options.verify_host_key_dns) {
|
||||||
|
+ /*
|
||||||
|
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||||
|
+ * them and try the plain key.
|
||||||
|
+ */
|
||||||
|
+ plain = key_from_private(host_key);
|
||||||
|
+ if (key_is_cert(plain))
|
||||||
|
+ key_drop_cert(plain);
|
||||||
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||||
|
+ if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
+ if (options.verify_host_key_dns == 1 &&
|
||||||
|
+ flags & DNS_VERIFY_MATCH &&
|
||||||
|
+ flags & DNS_VERIFY_SECURE) {
|
||||||
|
+ key_free(plain);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
+ matching_host_key_dns = 1;
|
||||||
|
+ } else {
|
||||||
|
+ warn_changed_key(plain);
|
||||||
|
+ error("Update the SSHFP RR in DNS "
|
||||||
|
+ "with the new host key to get rid "
|
||||||
|
+ "of this message.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ key_free(plain);
|
||||||
|
}
|
||||||
|
|
||||||
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
|
@ -193,6 +193,9 @@ Patch910: openssh-6.2p2-increase-size-of-DF-groups.patch
|
||||||
Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
|
Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
|
||||||
# Use tty allocation for a remote scp (#985650)
|
# Use tty allocation for a remote scp (#985650)
|
||||||
Patch912: openssh-6.2p2-fromto-remote.patch
|
Patch912: openssh-6.2p2-fromto-remote.patch
|
||||||
|
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||||
|
# dialog by offering only certificate keys. (#1081338)
|
||||||
|
Patch913: openssh-6.2p2-CVE-2014-2653.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -418,6 +421,7 @@ popd
|
||||||
%patch910 -p1 -b .dh
|
%patch910 -p1 -b .dh
|
||||||
%patch911 -p1 -b .legacy-ssh-copy-id
|
%patch911 -p1 -b .legacy-ssh-copy-id
|
||||||
%patch912 -p1 -b .fromto-remote
|
%patch912 -p1 -b .fromto-remote
|
||||||
|
%patch913 -p1 -b .CVE-2014-2653
|
||||||
|
|
||||||
%if 0
|
%if 0
|
||||||
# Nothing here yet
|
# Nothing here yet
|
||||||
|
|
Loading…
Reference in New Issue