- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
diff --git a/sshconnect.c b/sshconnect.c
index 63c4650..35c2f49 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.218 2010/01/13 00:19:04 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.219 2010/02/26 20:29:54 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -58,6 +58,7 @@
#include "misc.h"
#include "dns.h"
#include "roaming.h"
+#include "ssh2.h"
#include "version.h"
char *client_version_string = NULL;
@@ -576,6 +577,23 @@
}
}
+static int
+check_host_cert(const char *host, const Key *host_key)
+{
+ const char *reason;
+
+ if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
+ error("%s", reason);
+ return 0;
+ }
+ if (buffer_len(&host_key->cert->constraints) != 0) {
+ error("Certificate for %s contains unsupported constraint(s)",
+ host);
+ return 0;
+ }
+ return 1;
+}
+
/*
* check whether the supplied host key is valid, return -1 if the key
* is not valid. the user_hostfile will not be updated if 'readonly' is true.
@@ -588,13 +606,13 @@
Key *host_key, int readonly, const char *user_hostfile,
const char *system_hostfile)
{
- Key *file_key;
- const char *type = key_type(host_key);
+ Key *file_key, *raw_key = NULL;
+ const char *type;
char *ip = NULL, *host = NULL;
char hostline[1000], *hostp, *fp, *ra;
HostStatus host_status;
HostStatus ip_status;
- int r, local = 0, host_ip_differ = 0;
+ int r, want_cert, local = 0, host_ip_differ = 0;
int salen;
char ntop[NI_MAXHOST];
char msg[1024];
@@ -667,11 +685,15 @@
host = put_host_port(hostname, port);
}
+ retry:
+ want_cert = key_is_cert(host_key);
+ type = key_type(host_key);
+
/*
* Store the host key from the known host file in here so that we can
* compare it with the key for the IP address.
*/
- file_key = key_new(host_key->type);
+ file_key = key_new(key_is_cert(host_key) ? KEY_UNSPEC : host_key->type);
/*
* Check if the host key is present in the user's list of known
@@ -687,9 +709,10 @@
}
/*
* Also perform check for the ip address, skip the check if we are
- * localhost or the hostname was an ip address to begin with
+ * localhost, looking for a certificate, or the hostname was an ip
+ * address to begin with.
*/
- if (options.check_host_ip) {
+ if (!want_cert && options.check_host_ip) {
Key *ip_key = key_new(host_key->type);
ip_file = user_hostfile;
@@ -713,11 +736,14 @@
switch (host_status) {
case HOST_OK:
/* The host is known and the key matches. */
- debug("Host '%.200s' is known and matches the %s host key.",
- host, type);
- debug("Found key in %s:%d", host_file, host_line);
+ debug("Host '%.200s' is known and matches the %s host %s.",
+ host, type, want_cert ? "certificate" : "key");
+ debug("Found %s in %s:%d",
+ want_cert ? "certificate" : "key", host_file, host_line);
+ if (want_cert && !check_host_cert(hostname, host_key))
+ goto fail;
if (options.check_host_ip && ip_status == HOST_NEW) {
- if (readonly)
+ if (readonly || want_cert)
logit("%s host key for IP address "
"'%.128s' not in list of known hosts.",
type, ip);
@@ -749,7 +775,7 @@
break;
}
}
- if (readonly)
+ if (readonly || want_cert)
goto fail;
/* The host is new. */
if (options.strict_host_key_checking == 1) {
@@ -834,6 +860,17 @@
"list of known hosts.", hostp, type);
break;
case HOST_CHANGED:
+ if (want_cert) {
+ /*
+ * This is only a debug() since it is valid to have
+ * CAs with wildcard DNS matches that don't match
+ * all hosts that one might visit.
+ */
+ debug("Host certificate authority does not "
+ "match %s in %s:%d", CA_MARKER,
+ host_file, host_line);
+ goto fail;
+ }
if (readonly == ROQUIET)
goto fail;
if (options.check_host_ip && host_ip_differ) {
@@ -970,6 +1007,20 @@
return 0;
fail:
+ if (want_cert) {
+ /*
+ * No matching certificate. Downgrade cert to raw key and
+ * search normally.
+ */
+ debug("No matching CA found. Retry with plain key");
+ raw_key = key_from_private(host_key);
+ if (key_drop_cert(raw_key) != 0)
+ fatal("Couldn't drop certificate");
+ host_key = raw_key;
+ goto retry;
+ }
+ if (raw_key != NULL)
+ key_free(raw_key);
xfree(ip);
xfree(host);
return -1;
@@ -982,7 +1033,8 @@
struct stat st;
int flags = 0;
- if (options.verify_host_key_dns &&
+ /* XXX certs are not yet supported for DNS */
+ if (!key_is_cert(host_key) && options.verify_host_key_dns &&
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
if (flags & DNS_VERIFY_FOUND) {