You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
80 lines
2.3 KiB
80 lines
2.3 KiB
diff --git a/ChangeLog b/ChangeLog |
|
index 38de846..1603a07 100644 |
|
--- a/ChangeLog |
|
+++ b/ChangeLog |
|
@@ -1,3 +1,14 @@ |
|
+20140420 |
|
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10 |
|
+ [sshconnect.c] |
|
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any |
|
+ certificate keys to plain keys and attempt SSHFP resolution. |
|
+ |
|
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey |
|
+ dialog by offering only certificate keys. |
|
+ |
|
+ Reported by mcv21 AT cam.ac.uk |
|
+ |
|
20140313 |
|
- (djm) Release OpenSSH 6.6 |
|
|
|
diff --git a/sshconnect.c b/sshconnect.c |
|
index 394cca8..e636f33 100644 |
|
--- a/sshconnect.c |
|
+++ b/sshconnect.c |
|
@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
|
{ |
|
int flags = 0; |
|
char *fp; |
|
+ Key *plain = NULL; |
|
|
|
fp = key_selected_fingerprint(host_key, SSH_FP_HEX); |
|
debug("Server host key: %s %s%s", key_type(host_key), |
|
key_fingerprint_prefix(), fp); |
|
free(fp); |
|
|
|
- /* XXX certs are not yet supported for DNS */ |
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns && |
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { |
|
- if (flags & DNS_VERIFY_FOUND) { |
|
- |
|
- if (options.verify_host_key_dns == 1 && |
|
- flags & DNS_VERIFY_MATCH && |
|
- flags & DNS_VERIFY_SECURE) |
|
- return 0; |
|
- |
|
- if (flags & DNS_VERIFY_MATCH) { |
|
- matching_host_key_dns = 1; |
|
- } else { |
|
- warn_changed_key(host_key); |
|
- error("Update the SSHFP RR in DNS with the new " |
|
- "host key to get rid of this message."); |
|
+ if (options.verify_host_key_dns) { |
|
+ /* |
|
+ * XXX certs are not yet supported for DNS, so downgrade |
|
+ * them and try the plain key. |
|
+ */ |
|
+ plain = key_from_private(host_key); |
|
+ if (key_is_cert(plain)) |
|
+ key_drop_cert(plain); |
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { |
|
+ if (flags & DNS_VERIFY_FOUND) { |
|
+ if (options.verify_host_key_dns == 1 && |
|
+ flags & DNS_VERIFY_MATCH && |
|
+ flags & DNS_VERIFY_SECURE) { |
|
+ key_free(plain); |
|
+ return 0; |
|
+ } |
|
+ if (flags & DNS_VERIFY_MATCH) { |
|
+ matching_host_key_dns = 1; |
|
+ } else { |
|
+ warn_changed_key(plain); |
|
+ error("Update the SSHFP RR in DNS " |
|
+ "with the new host key to get rid " |
|
+ "of this message."); |
|
+ } |
|
} |
|
} |
|
+ key_free(plain); |
|
} |
|
|
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
|
|