Possibility to validate legacy systems by more fingerprints (#1249626)
This commit is contained in:
parent
bc4ef0f373
commit
4df30a2a72
@ -350,7 +350,7 @@ diff -up openssh-7.0p1/readconf.c.fips openssh-7.0p1/readconf.c
|
|||||||
--- openssh-7.0p1/readconf.c.fips 2015-08-19 12:36:51.138412921 +0200
|
--- openssh-7.0p1/readconf.c.fips 2015-08-19 12:36:51.138412921 +0200
|
||||||
+++ openssh-7.0p1/readconf.c 2015-08-19 12:36:51.152412889 +0200
|
+++ openssh-7.0p1/readconf.c 2015-08-19 12:36:51.152412889 +0200
|
||||||
@@ -1915,9 +1915,12 @@ fill_default_options(Options * options)
|
@@ -1915,9 +1915,12 @@ fill_default_options(Options * options)
|
||||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
}
|
||||||
if (options->update_hostkeys == -1)
|
if (options->update_hostkeys == -1)
|
||||||
options->update_hostkeys = 0;
|
options->update_hostkeys = 0;
|
||||||
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||||
|
318
openssh-7.0p1-show-more-fingerprints.patch
Normal file
318
openssh-7.0p1-show-more-fingerprints.patch
Normal file
@ -0,0 +1,318 @@
|
|||||||
|
From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Fri, 7 Aug 2015 10:18:54 +0200
|
||||||
|
Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client
|
||||||
|
side for smother transition
|
||||||
|
|
||||||
|
---
|
||||||
|
clientloop.c | 8 ++++----
|
||||||
|
readconf.c | 43 +++++++++++++++++++++++++++++--------------
|
||||||
|
readconf.h | 4 +++-
|
||||||
|
ssh_config.5 | 4 ++--
|
||||||
|
sshconnect.c | 48 +++++++++++++++++++++++++++---------------------
|
||||||
|
sshconnect2.c | 6 +++---
|
||||||
|
6 files changed, 68 insertions(+), 45 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/clientloop.c b/clientloop.c
|
||||||
|
index 87ceb3d..4553114 100644
|
||||||
|
--- a/clientloop.c
|
||||||
|
+++ b/clientloop.c
|
||||||
|
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||||
|
if (ctx->keys_seen[i] != 2)
|
||||||
|
continue;
|
||||||
|
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||||
|
sshkey_type(ctx->keys[i]), fp);
|
||||||
|
@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||||
|
}
|
||||||
|
for (i = 0; i < ctx->nold; i++) {
|
||||||
|
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||||
|
sshkey_type(ctx->old_keys[i]), fp);
|
||||||
|
@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||||
|
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||||
|
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||||
|
options.hash_known_hosts, 0,
|
||||||
|
- options.fingerprint_hash)) != 0)
|
||||||
|
+ options.fingerprint_hash[0])) != 0)
|
||||||
|
error("%s: hostfile_replace_entries failed: %s",
|
||||||
|
__func__, ssh_err(r));
|
||||||
|
}
|
||||||
|
@@ -2358,7 +2358,7 @@ client_input_hostkeys(void)
|
||||||
|
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT);
|
||||||
|
debug3("%s: received %s key %s", __func__,
|
||||||
|
sshkey_type(key), fp);
|
||||||
|
diff --git a/readconf.c b/readconf.c
|
||||||
|
index 1d03bdf..6af4c62 100644
|
||||||
|
--- a/readconf.c
|
||||||
|
+++ b/readconf.c
|
||||||
|
@@ -1471,16 +1471,18 @@ parse_keytypes:
|
||||||
|
goto parse_string;
|
||||||
|
|
||||||
|
case oFingerprintHash:
|
||||||
|
- intptr = &options->fingerprint_hash;
|
||||||
|
- arg = strdelim(&s);
|
||||||
|
- if (!arg || *arg == '\0')
|
||||||
|
- fatal("%.200s line %d: Missing argument.",
|
||||||
|
- filename, linenum);
|
||||||
|
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
||||||
|
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
||||||
|
- filename, linenum, arg);
|
||||||
|
- if (*activep && *intptr == -1)
|
||||||
|
- *intptr = value;
|
||||||
|
+ if (*activep && options->num_fingerprint_hash == 0)
|
||||||
|
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||||
|
+ value = ssh_digest_alg_by_name(arg);
|
||||||
|
+ if (value == -1)
|
||||||
|
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
||||||
|
+ filename, linenum, arg);
|
||||||
|
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
||||||
|
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ options->fingerprint_hash[
|
||||||
|
+ options->num_fingerprint_hash++] = value;
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
|
||||||
|
case oUpdateHostkeys:
|
||||||
|
@@ -1673,7 +1675,7 @@ initialize_options(Options * options)
|
||||||
|
options->canonicalize_fallback_local = -1;
|
||||||
|
options->canonicalize_hostname = -1;
|
||||||
|
options->revoked_host_keys = NULL;
|
||||||
|
- options->fingerprint_hash = -1;
|
||||||
|
+ options->num_fingerprint_hash = 0;
|
||||||
|
options->update_hostkeys = -1;
|
||||||
|
options->hostbased_key_types = NULL;
|
||||||
|
options->pubkey_key_types = NULL;
|
||||||
|
@@ -1851,8 +1853,10 @@ fill_default_options(Options * options)
|
||||||
|
options->canonicalize_fallback_local = 1;
|
||||||
|
if (options->canonicalize_hostname == -1)
|
||||||
|
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||||
|
- if (options->fingerprint_hash == -1)
|
||||||
|
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
|
+ if (options->num_fingerprint_hash == 0) {
|
||||||
|
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
||||||
|
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
|
||||||
|
+ }
|
||||||
|
if (options->update_hostkeys == -1)
|
||||||
|
options->update_hostkeys = 0;
|
||||||
|
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||||
|
@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
||||||
|
+{
|
||||||
|
+ u_int i;
|
||||||
|
+
|
||||||
|
+ printf("%s", lookup_opcode_name(code));
|
||||||
|
+ for (i = 0; i < count; i++)
|
||||||
|
+ printf(" %s", fmt_intarg(code, vals[i]));
|
||||||
|
+ printf("\n");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||||
|
{
|
||||||
|
u_int i;
|
||||||
|
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
|
||||||
|
dump_cfg_fmtint(oControlMaster, o->control_master);
|
||||||
|
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||||
|
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||||
|
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||||
|
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||||
|
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||||
|
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||||
|
@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host)
|
||||||
|
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||||
|
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||||
|
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||||
|
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
||||||
|
|
||||||
|
/* Special cases */
|
||||||
|
|
||||||
|
diff --git a/readconf.h b/readconf.h
|
||||||
|
index bb2d552..d817f92 100644
|
||||||
|
--- a/readconf.h
|
||||||
|
+++ b/readconf.h
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
#define MAX_SEND_ENV 256
|
||||||
|
#define SSH_MAX_HOSTS_FILES 32
|
||||||
|
#define MAX_CANON_DOMAINS 32
|
||||||
|
+#define MAX_SSH_DIGESTS 32
|
||||||
|
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||||
|
|
||||||
|
struct allowed_cname {
|
||||||
|
@@ -146,7 +147,8 @@ typedef struct {
|
||||||
|
|
||||||
|
char *revoked_host_keys;
|
||||||
|
|
||||||
|
- int fingerprint_hash;
|
||||||
|
+ int num_fingerprint_hash;
|
||||||
|
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
||||||
|
|
||||||
|
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||||
|
|
||||||
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
|
index 5b0975f..e8e6458 100644
|
||||||
|
--- a/ssh_config.5
|
||||||
|
+++ b/ssh_config.5
|
||||||
|
@@ -647,13 +647,13 @@ or
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm FingerprintHash
|
||||||
|
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||||
|
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||||
|
Valid options are:
|
||||||
|
.Dq md5
|
||||||
|
and
|
||||||
|
.Dq sha256 .
|
||||||
|
The default is
|
||||||
|
-.Dq sha256 .
|
||||||
|
+.Dq "sha256 md5".
|
||||||
|
.It Cm ForwardAgent
|
||||||
|
Specifies whether the connection to the authentication agent (if any)
|
||||||
|
will be forwarded to the remote machine.
|
||||||
|
diff --git a/sshconnect.c b/sshconnect.c
|
||||||
|
index f41960c..e12932f 100644
|
||||||
|
--- a/sshconnect.c
|
||||||
|
+++ b/sshconnect.c
|
||||||
|
@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||||
|
"of known hosts.", type, ip);
|
||||||
|
} else if (options.visual_host_key) {
|
||||||
|
fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||||
|
ra = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||||
|
if (fp == NULL || ra == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||||
|
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||||
|
else
|
||||||
|
snprintf(msg1, sizeof(msg1), ".");
|
||||||
|
/* The default */
|
||||||
|
- fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
- ra = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
- if (fp == NULL || ra == NULL)
|
||||||
|
- fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
msg2[0] = '\0';
|
||||||
|
if (options.verify_host_key_dns) {
|
||||||
|
if (matching_host_key_dns)
|
||||||
|
@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||||
|
}
|
||||||
|
snprintf(msg, sizeof(msg),
|
||||||
|
"The authenticity of host '%.200s (%s)' can't be "
|
||||||
|
- "established%s\n"
|
||||||
|
- "%s key fingerprint is %s.%s%s\n%s"
|
||||||
|
+ "established%s\n", host, ip, msg1);
|
||||||
|
+ for (i = 0; i < options.num_fingerprint_hash; i++) {
|
||||||
|
+ fp = sshkey_fingerprint(host_key,
|
||||||
|
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||||
|
+ ra = sshkey_fingerprint(host_key,
|
||||||
|
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
||||||
|
+ if (fp == NULL || ra == NULL)
|
||||||
|
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
+ len = strlen(msg);
|
||||||
|
+ snprintf(msg+len, sizeof(msg)-len,
|
||||||
|
+ "%s key fingerprint is %s.%s%s\n%s",
|
||||||
|
+ type, fp,
|
||||||
|
+ options.visual_host_key ? "\n" : "",
|
||||||
|
+ options.visual_host_key ? ra : "",
|
||||||
|
+ msg2);
|
||||||
|
+ free(ra);
|
||||||
|
+ free(fp);
|
||||||
|
+ }
|
||||||
|
+ len = strlen(msg);
|
||||||
|
+ snprintf(msg+len, sizeof(msg)-len,
|
||||||
|
"Are you sure you want to continue connecting "
|
||||||
|
- "(yes/no)? ",
|
||||||
|
- host, ip, msg1, type, fp,
|
||||||
|
- options.visual_host_key ? "\n" : "",
|
||||||
|
- options.visual_host_key ? ra : "",
|
||||||
|
- msg2);
|
||||||
|
- free(ra);
|
||||||
|
- free(fp);
|
||||||
|
+ "(yes/no)? ");
|
||||||
|
if (!confirm(msg))
|
||||||
|
goto fail;
|
||||||
|
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||||
|
@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||||
|
struct sshkey *plain = NULL;
|
||||||
|
|
||||||
|
if ((fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||||
|
r = -1;
|
||||||
|
goto out;
|
||||||
|
@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
|
||||||
|
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||||
|
continue;
|
||||||
|
fp = sshkey_fingerprint(found->key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||||
|
ra = sshkey_fingerprint(found->key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||||
|
if (fp == NULL || ra == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
logit("WARNING: %s key found for host %s\n"
|
||||||
|
@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key)
|
||||||
|
{
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
||||||
|
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT);
|
||||||
|
if (fp == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||||
|
index 7751031..82ed92e 100644
|
||||||
|
--- a/sshconnect2.c
|
||||||
|
+++ b/sshconnect2.c
|
||||||
|
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
|
||||||
|
key->type, pktype);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
goto done;
|
||||||
|
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||||
|
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||||
|
int have_sig = 1;
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
return 0;
|
||||||
|
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||||
|
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
error("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
goto out;
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
||||||
|
|
@ -227,7 +227,8 @@ Patch929: openssh-6.9p1-permit-root-login.patch
|
|||||||
Patch931: openssh-6.9p1-scp-progressmeter.patch
|
Patch931: openssh-6.9p1-scp-progressmeter.patch
|
||||||
# Add GSSAPIKexAlgorithms option for server and client application
|
# Add GSSAPIKexAlgorithms option for server and client application
|
||||||
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
|
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
|
||||||
|
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
|
||||||
|
Patch933: openssh-7.0p1-show-more-fingerprints.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -464,6 +465,7 @@ popd
|
|||||||
%patch929 -p1 -b .root-login
|
%patch929 -p1 -b .root-login
|
||||||
%patch931 -p1 -b .progressmeter
|
%patch931 -p1 -b .progressmeter
|
||||||
%patch932 -p1 -b .gsskexalg
|
%patch932 -p1 -b .gsskexalg
|
||||||
|
%patch933 -p1 -b .fingerprint
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
Loading…
Reference in New Issue
Block a user