Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 1aed65eb27feec505997c98621bdf158f9ab8b99^! / . / sshconnect.c
commit1aed65eb27feec505997c98621bdf158f9ab8b99[log] [tgz]
authorDamien Miller <djm@mindrot.org>Thu Mar 04 21:53:35 2010 +1100
committerDamien Miller <djm@mindrot.org>Thu Mar 04 21:53:35 2010 +1100
tree81c2d0b9aff3c2211388ba00cde544e0618750d2
parent2befbad9b3c8fc6e4e564c062870229bc722734c [diff] [blame]
   - djm@cvs.openbsd.org 2010/03/04 10:36:03
     [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@

diff --git a/sshconnect.c b/sshconnect.c
index 35c2f49..9de5222 100644
--- a/sshconnect.c
+++ b/sshconnect.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.219 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.220 2010/03/04 10:36:03 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -859,6 +859,25 @@
 			logit("Warning: Permanently added '%.200s' (%s) to the "
 			    "list of known hosts.", hostp, type);
 		break;
+	case HOST_REVOKED:
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("@       WARNING: REVOKED HOST KEY DETECTED!               @");
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("The %s host key for %s is marked as revoked.", type, host);
+		error("This could mean that a stolen key is being used to");
+		error("impersonate this host.");
+
+		/*
+		 * If strict host key checking is in use, the user will have
+		 * to edit the key manually and we can only abort.
+		 */
+		if (options.strict_host_key_checking) {
+			error("%s host key for %.200s was revoked and you have "
+			    "requested strict checking.", type, host);
+			goto fail;
+		}
+		goto continue_unsafe;
+
 	case HOST_CHANGED:
 		if (want_cert) {
 			/*
@@ -908,6 +927,7 @@
 			goto fail;
 		}
 
+ continue_unsafe:
 		/*
 		 * If strict host key checking has not been requested, allow
 		 * the connection but without MITM-able authentication or
@@ -1007,7 +1027,7 @@
 	return 0;
 
 fail:
-	if (want_cert) {
+	if (want_cert && host_status != HOST_REVOKED) {
 		/*
 		 * No matching certificate. Downgrade cert to raw key and
 		 * search normally.