From b802dbff9f0da8b5cd6eebf28dd3e7fd207cc45c Mon Sep 17 00:00:00 2001 From: Philipp Rudo Date: Fri, 25 Mar 2022 15:47:03 +0100 Subject: [PATCH] kdumpctl: forbid aliases from ssh config For ssh targets kdumpctl only verifies that the config value has the correct @ format itself. For all other tests, e.g. if the destination can be reached, it relies on ssh. This allows users to provide a that isn't the proper hostname but an alias defined in the ssh_config without failing the tests. If this is done dracut-module-setup.sh:kdump_get_remote_ip will fail to obtain the targets ip address. This failure is not detected and thus will not fail the initramfs creation. The resulting initramfs however doesn't have the necessary information for setting up the network and thus will fail to boot. Prevent the use of alias hostnames by verifying that the given hostname is the same one ssh would use after parsing the ssh_config. Note: Don't use getent ahosts to verify that the given host can be resolved as this requires the network to be up which cannot be guaranteed when the kdump.conf is parsed. Signed-off-by: Philipp Rudo Reviewed-by: Tao Liu Reviewed-by: Coiby Xu --- kdumpctl | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kdumpctl b/kdumpctl index 7d40f76..8ad6e4c 100755 --- a/kdumpctl +++ b/kdumpctl @@ -663,7 +663,7 @@ load_kdump() check_ssh_config() { - local SSH_TARGET + local target while read -r config_opt config_val; do case "$config_opt" in @@ -687,11 +687,14 @@ check_ssh_config() esac done <<< "$(kdump_read_conf)" - #make sure they've configured kdump.conf for ssh dumps - SSH_TARGET=$(echo -n "$DUMP_TARGET" | sed -n '/.*@/p') - if [[ -z $SSH_TARGET ]]; then + [[ -n $DUMP_TARGET ]] || return 1 + [[ $DUMP_TARGET =~ .*@.* ]] || return 1 + target=$(ssh -G "$DUMP_TARGET" | sed -n -e "s/^hostname[[:space:]]\+\([^[:space:]]*\).*$/\1/p") + if [[ ${DUMP_TARGET#*@} != "$target" ]]; then + derror "Invalid ssh destination $DUMP_TARGET provided." return 1 fi + return 0 }