1 |
Description: Attempt SSHFP lookup even if server presents a certificate |
2 |
If an ssh server presents a certificate to the client, then the client does |
3 |
not check the DNS for SSHFP records. This means that a malicious server can |
4 |
essentially disable DNS-host-key-checking, which means the client will fall |
5 |
back to asking the user (who will just say "yes" to the fingerprint, |
6 |
sadly). |
7 |
. |
8 |
This is CVE-2014-2653. |
9 |
Author: Damien Miller <djm@mindrot.org> |
10 |
Reviewed-by: Matthew Vernon <matthew@debian.org> |
11 |
Bug-Debian: http://bugs.debian.org/742513 |
12 |
Forwarded: not-needed |
13 |
Last-Update: 2014-04-03 |
14 |
|
15 |
Index: b/sshconnect.c |
16 |
=================================================================== |
17 |
--- a/sshconnect.c |
18 |
+++ b/sshconnect.c |
19 |
@@ -1110,29 +1110,39 @@ |
20 |
{ |
21 |
int flags = 0; |
22 |
char *fp; |
23 |
+ Key *plain = NULL; |
24 |
|
25 |
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
26 |
debug("Server host key: %s %s", key_type(host_key), fp); |
27 |
xfree(fp); |
28 |
|
29 |
- /* XXX certs are not yet supported for DNS */ |
30 |
- if (!key_is_cert(host_key) && options.verify_host_key_dns && |
31 |
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { |
32 |
- if (flags & DNS_VERIFY_FOUND) { |
33 |
- |
34 |
- if (options.verify_host_key_dns == 1 && |
35 |
- flags & DNS_VERIFY_MATCH && |
36 |
- flags & DNS_VERIFY_SECURE) |
37 |
- return 0; |
38 |
- |
39 |
- if (flags & DNS_VERIFY_MATCH) { |
40 |
- matching_host_key_dns = 1; |
41 |
- } else { |
42 |
- warn_changed_key(host_key); |
43 |
- error("Update the SSHFP RR in DNS with the new " |
44 |
- "host key to get rid of this message."); |
45 |
+ if (options.verify_host_key_dns) { |
46 |
+ /* |
47 |
+ * XXX certs are not yet supported for DNS, so downgrade |
48 |
+ * them and try the plain key. |
49 |
+ */ |
50 |
+ plain = key_from_private(host_key); |
51 |
+ if (key_is_cert(plain)) |
52 |
+ key_drop_cert(plain); |
53 |
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { |
54 |
+ if (flags & DNS_VERIFY_FOUND) { |
55 |
+ if (options.verify_host_key_dns == 1 && |
56 |
+ flags & DNS_VERIFY_MATCH && |
57 |
+ flags & DNS_VERIFY_SECURE) { |
58 |
+ key_free(plain); |
59 |
+ return 0; |
60 |
+ } |
61 |
+ if (flags & DNS_VERIFY_MATCH) { |
62 |
+ matching_host_key_dns = 1; |
63 |
+ } else { |
64 |
+ warn_changed_key(plain); |
65 |
+ error("Update the SSHFP RR in DNS " |
66 |
+ "with the new host key to get rid " |
67 |
+ "of this message."); |
68 |
+ } |
69 |
} |
70 |
} |
71 |
+ key_free(plain); |
72 |
} |
73 |
|
74 |
return check_host_key(host, hostaddr, options.port, host_key, RDRW, |