mirrors/openssh
0
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2024-11-23 18:23:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

upstream: don't UpdateHostkeys when the hostkey is verified by the

Browse Source 
GlobalKnownHostsFile file, support only UserKnownHostsFile matches

suggested by Mark D. Baushke; feedback and ok markus@

OpenBSD-Commit-ID: eabb771a6add676c398d38a143a1aff5f04abbb9
This commit is contained in:
djm@openbsd.org 2020-10-07 02:24:51 +00:00 committed by Damien Miller
parent aa623142e4
commit b70e337112
1 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.337 2020/10/07 02:22:23 djm Exp $ */
/* $OpenBSD: sshconnect.c,v 1.338 2020/10/07 02:24:51 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -691,6 +691,19 @@ get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
}
}
/* returns non-zero if path appears in hostfiles, or 0 if not. */
static int
path_in_hostfiles(const char *path, char **hostfiles, u_int num_hostfiles)
{
u_int i;
for (i = 0; i < num_hostfiles; i++) {
if (strcmp(path, hostfiles[i]) == 0)
return 1;
}
return 0;
}
/*
* check whether the supplied host key is valid, return -1 if the key
* is not valid. user_hostfile[0] will not be updated if 'readonly' is true.
@ -704,14 +717,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
char **user_hostfiles, u_int num_user_hostfiles,
char **system_hostfiles, u_int num_system_hostfiles)
{
HostStatus host_status;
HostStatus ip_status;
HostStatus host_status = -1, ip_status = -1;
struct sshkey *raw_key = NULL;
char *ip = NULL, *host = NULL;
char hostline[1000], *hostp, *fp, *ra;
char msg[1024];
const char *type;
const struct hostkey_entry *host_found, *ip_found;
const struct hostkey_entry *host_found = NULL, *ip_found = NULL;
int len, cancelled_forwarding = 0, confirmed;
int local = sockaddr_is_local(hostaddr);
int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0;
@ -731,6 +743,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
options.host_key_alias == NULL) {
debug("Forcing accepting of host key for "
"loopback/localhost.");
options.update_hostkeys = 0;
return 0;
}
@ -802,6 +815,17 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
!check_host_cert(options.host_key_alias == NULL ?
hostname : options.host_key_alias, host_key))
goto fail;
/* Turn off UpdateHostkeys if key was in system known_hosts */
if (options.update_hostkeys != 0 &&
(path_in_hostfiles(host_found->file,
system_hostfiles, num_system_hostfiles) ||
(ip_status == HOST_OK && ip_found != NULL &&
path_in_hostfiles(ip_found->file,
system_hostfiles, num_system_hostfiles)))) {
options.update_hostkeys = 0;
debug3("%s: host key found in GlobalKnownHostsFile; "
"disabling UpdateHostkeys", __func__);
}
if (options.check_host_ip && ip_status == HOST_NEW) {
if (readonly || want_cert)
logit("%s host key for IP address "