Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 6049a548a8a68ff0bbe581ab1748ea6a59ecdc38^! / . / sshd.c
commit6049a548a8a68ff0bbe581ab1748ea6a59ecdc38[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Sat Jan 31 20:30:05 2015 +0000
committerDamien Miller <djm@mindrot.org>Sun Feb 01 09:13:09 2015 +1100
tree699647989ed8bb5800886fa57e96fe8a6702df4f
parent46347ed5968f582661e8a70a45f448e0179ca0ab [diff] [blame]
upstream commit

Let sshd load public host keys even when private keys are
 missing. Allows sshd to advertise additional keys for future key rotation.
 Also log fingerprint of hostkeys loaded; ok markus@

diff --git a/sshd.c b/sshd.c
index 004ddd4..4282bdc 100644
--- a/sshd.c
+++ b/sshd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.440 2015/01/26 06:10:03 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.441 2015/01/31 20:30:05 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -795,7 +795,7 @@
 	buffer_init(&b);
 	for (i = 0; i < options.num_host_key_files; i++) {
 		key = sensitive_data.host_keys[i];
-		if (key == NULL)
+		if (key == NULL && have_agent)
 			key = sensitive_data.host_pubkeys[i];
 		if (key == NULL)
 			continue;
@@ -1442,7 +1442,7 @@
 	int sock_in = -1, sock_out = -1, newsock = -1;
 	const char *remote_ip;
 	int remote_port;
-	char *line, *logfile = NULL;
+	char *fp, *line, *logfile = NULL;
 	int config_s[2] = { -1 , -1 };
 	u_int n;
 	u_int64_t ibytes, obytes;
@@ -1764,10 +1764,11 @@
 		sensitive_data.host_keys[i] = key;
 		sensitive_data.host_pubkeys[i] = pubkey;
 
-		if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 &&
-		    have_agent) {
-			debug("will rely on agent for hostkey %s",
-			    options.host_key_files[i]);
+		if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1) {
+			if (have_agent) {
+				debug("will rely on agent for hostkey %s",
+				    options.host_key_files[i]);
+			}
 			keytype = pubkey->type;
 		} else if (key != NULL) {
 			keytype = key->type;
@@ -1788,11 +1789,17 @@
 		case KEY_DSA:
 		case KEY_ECDSA:
 		case KEY_ED25519:
-			sensitive_data.have_ssh2_key = 1;
+			if (have_agent || key != NULL)
+				sensitive_data.have_ssh2_key = 1;
 			break;
 		}
-		debug("private host key: #%d type %d %s", i, keytype,
-		    key_type(key ? key : pubkey));
+		if ((fp = sshkey_fingerprint(pubkey, options.fingerprint_hash,
+		    SSH_FP_DEFAULT)) == NULL)
+			fatal("sshkey_fingerprint failed");
+		debug("%s host key #%d: %s %s",
+		    key ? "private" : "public", i, keytype == KEY_RSA1 ?
+		    sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
+		free(fp);
 	}
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");