diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-10-03 10:12:59 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-10-03 10:31:49 +0200 |
| commit | 332f21537293d66508f7342dc643bc7fe45f0f69 (patch) | |
| tree | a75b212b5f578117b158177a8ab0f89b774c8cc9 /clientloop.c | |
| parent | upstream: record when the host key checking code downgrades a (diff) | |
| download | openssh-332f21537293d66508f7342dc643bc7fe45f0f69.tar.xz openssh-332f21537293d66508f7342dc643bc7fe45f0f69.zip | |
upstream: disable UpdateHostkeys when a wildcard hostname pattern
is encountered or when a certificate host key is in use. feedback/ok markus@
OpenBSD-Commit-ID: b6e5575af7e6732322be82ec299e09051a5413bd
Diffstat (limited to '')
| -rw-r--r-- | clientloop.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/clientloop.c b/clientloop.c index 60b46d161..de13adab9 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.346 2020/09/16 03:07:31 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.347 2020/10/03 08:12:59 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1828,6 +1828,10 @@ struct hostkeys_update_ctx { */ struct sshkey **old_keys; size_t nold; + + /* Various special cases. */ + int wildcard_hostspec; /* saw wildcard or pattern-list host name */ + int ca_available; /* saw CA key for this host */ }; static void @@ -1859,6 +1863,21 @@ hostkeys_find(struct hostkey_foreach_line *l, void *_ctx) if (l->status != HKF_STATUS_MATCHED || l->key == NULL) return 0; + if (l->marker == MRK_REVOKE) + return 0; + if (l->marker == MRK_CA) { + ctx->ca_available = 1; + return 0; + } + + /* UpdateHostkeys is skipped for wildcard host names */ + if (strchr(l->hosts, '*') != NULL || + strchr(l->hosts, ',') != NULL) { + debug3("%s: hostkeys file %s:%ld contains wildcard or pattern", + __func__, l->path, l->linenum); + ctx->wildcard_hostspec = 1; + } + /* Mark off keys we've already seen for this host */ for (i = 0; i < ctx->nkeys; i++) { if (sshkey_equal(l->key, ctx->keys[i])) { @@ -2204,7 +2223,17 @@ client_input_hostkeys(struct ssh *ssh) debug3("%s: %zu keys from server: %zu new, %zu retained. %zu to remove", __func__, ctx->nkeys, ctx->nnew, ctx->nkeys - ctx->nnew, ctx->nold); - if (ctx->nnew == 0 && ctx->nold != 0) { + if (ctx->wildcard_hostspec && (ctx->nnew != 0 || ctx->nold != 0)) { + debug("%s: wildcard known hosts name found, " + "skipping UserKnownHostsFile update", __func__); + goto out; + } else if (sshkey_type_is_cert(ssh->kex->hostkey_type) && + ctx->ca_available && + (ssh->kex->flags & KEX_HOSTCERT_CONVERT) == 0) { + debug("%s: server offered certificate host key, " + "skipping UserKnownHostsFile update", __func__); + goto out; + } else if (ctx->nnew == 0 && ctx->nold != 0) { /* We have some keys to remove. Just do it. */ update_known_hosts(ctx); } else if (ctx->nnew != 0) { |