mirror of
https://abf.rosa.ru/djam/openssh.git
synced 2025-02-25 18:53:02 +00:00
114 lines
3.1 KiB
Diff
114 lines
3.1 KiB
Diff
Upstream-Status: Backport
|
|
|
|
This CVE could be removed if openssh is upgrade to 6.6 or higher.
|
|
Below are some details.
|
|
|
|
Attempt SSHFP lookup even if server presents a certificate
|
|
|
|
Reference:
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513
|
|
|
|
If an ssh server presents a certificate to the client, then the client
|
|
does not check the DNS for SSHFP records. This means that a malicious
|
|
server can essentially disable DNS-host-key-checking, which means the
|
|
client will fall back to asking the user (who will just say "yes" to
|
|
the fingerprint, sadly).
|
|
|
|
This patch means that the ssh client will, if necessary, extract the
|
|
server key from the proffered certificate, and attempt to verify it
|
|
against the DNS. The patch was written by Mark Wooding
|
|
<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
|
|
it, and tested it.
|
|
|
|
Signed-off-by: Matthew Vernon <matthew@debian.org>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
|
---
|
|
--- a/sshconnect.c
|
|
+++ b/sshconnect.c
|
|
@@ -1210,36 +1210,63 @@ fail:
|
|
return -1;
|
|
}
|
|
|
|
+static int
|
|
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
|
|
+{
|
|
+ int rc = -1;
|
|
+ int flags = 0;
|
|
+ Key *raw_key = NULL;
|
|
+
|
|
+ if (!options.verify_host_key_dns)
|
|
+ goto done;
|
|
+
|
|
+ /* XXX certs are not yet supported for DNS; try looking the raw key
|
|
+ * up in the DNS anyway.
|
|
+ */
|
|
+ if (key_is_cert(host_key)) {
|
|
+ debug2("Extracting key from cert for SSHFP lookup");
|
|
+ raw_key = key_from_private(host_key);
|
|
+ if (key_drop_cert(raw_key))
|
|
+ fatal("Couldn't drop certificate");
|
|
+ host_key = raw_key;
|
|
+ }
|
|
+
|
|
+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
|
|
+ goto done;
|
|
+
|
|
+ if (flags & DNS_VERIFY_FOUND) {
|
|
+
|
|
+ if (options.verify_host_key_dns == 1 &&
|
|
+ flags & DNS_VERIFY_MATCH &&
|
|
+ flags & DNS_VERIFY_SECURE) {
|
|
+ rc = 0;
|
|
+ } else if (flags & DNS_VERIFY_MATCH) {
|
|
+ matching_host_key_dns = 1;
|
|
+ } else {
|
|
+ warn_changed_key(host_key);
|
|
+ error("Update the SSHFP RR in DNS with the new "
|
|
+ "host key to get rid of this message.");
|
|
+ }
|
|
+ }
|
|
+
|
|
+done:
|
|
+ if (raw_key)
|
|
+ key_free(raw_key);
|
|
+ return rc;
|
|
+}
|
|
+
|
|
/* returns 0 if key verifies or -1 if key does NOT verify */
|
|
int
|
|
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
|
{
|
|
- int flags = 0;
|
|
char *fp;
|
|
|
|
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
debug("Server host key: %s %s", key_type(host_key), fp);
|
|
free(fp);
|
|
|
|
- /* XXX certs are not yet supported for DNS */
|
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
|
- if (flags & DNS_VERIFY_FOUND) {
|
|
-
|
|
- if (options.verify_host_key_dns == 1 &&
|
|
- flags & DNS_VERIFY_MATCH &&
|
|
- flags & DNS_VERIFY_SECURE)
|
|
- return 0;
|
|
-
|
|
- if (flags & DNS_VERIFY_MATCH) {
|
|
- matching_host_key_dns = 1;
|
|
- } else {
|
|
- warn_changed_key(host_key);
|
|
- error("Update the SSHFP RR in DNS with the new "
|
|
- "host key to get rid of this message.");
|
|
- }
|
|
- }
|
|
- }
|
|
+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
|
|
+ return 0;
|
|
|
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
|
options.user_hostfiles, options.num_user_hostfiles,
|
|
--
|
|
1.7.9.5
|
|
|