diff options
| author |   djm <djm@openbsd.org> | 2020-10-03 08:11:28 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2020-10-03 08:11:28 +0000 |
| commit | b6892e612c29e12a2cb779cc39d66a7bff97ddb5 (patch) | |
| tree | d4140fb364f6ee93aedb440508b7434da97c79d4 /usr.bin/ssh/sshconnect2.c | |
| parent | add kcov remote interrupt coverage test (diff) | |
| download | wireguard-openbsd-b6892e612c29e12a2cb779cc39d66a7bff97ddb5.tar.xz wireguard-openbsd-b6892e612c29e12a2cb779cc39d66a7bff97ddb5.zip | |
record when the host key checking code downgrades a certificate host
key to a plain key. This occurs when the user connects to a host with
a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/sshconnect2.c')
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index b2699a92bed..62fb2f5b834 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.327 2020/10/03 08:11:28 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -92,8 +92,13 @@ struct sockaddr *xxx_hostaddr; static int verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) { - if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1) + int cert_downgraded = 0; + + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, + &cert_downgraded) == -1) fatal("Host key verification failed."); + if (cert_downgraded) + ssh->kex->flags |= KEX_HOSTCERT_CONVERT; return 0; } |