Re: ssh: probable bug in ssh -current

Sun, 02 Feb 2020 18:30:26 -0800 

On Fri, 31 Jan 2020, Aham Brahmasmi wrote:

> Bug:
> When the client connects to the server, they use the ed25519-cert to
> establish the connection. After the ssh session is established, the
> server sends the "[email protected]" message with the server's
> ed25519 host public key.
> 
> This results in the client looping over the keys in known hosts file,
> and deciding that the @cert-authority host certificate authority public
> key is "deprecated", because it was not sent by the server [1]. The
> client then informs the user:
> "
> The server has updated its host keys.
> These changes were verified by the server's existing trusted key.
> Deprecating obsolete hostkey: ED25519 SHA256:<host_ca_public_key_fingerprint>
> Accept updated hostkeys? (yes/no):
> "

Could you plesse try this patch?


Index: clientloop.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
retrieving revision 1.338
diff -u -p -r1.338 clientloop.c
--- clientloop.c        30 Jan 2020 07:20:57 -0000      1.338
+++ clientloop.c        3 Feb 2020 02:27:18 -0000
@@ -1856,13 +1859,25 @@ hostkeys_find(struct hostkey_foreach_lin
 
        /* Mark off keys we've already seen for this host */
        for (i = 0; i < ctx->nkeys; i++) {
-               if (sshkey_equal(l->key, ctx->keys[i])) {
+               if ((l->marker & MRK_CA) != 0) {
+                       if (!sshkey_is_cert(ctx->keys[i]))
+                               continue;
+                       if (!sshkey_equal(ctx->keys[i]->cert->signature_key,
+                           l->key))
+                               continue;
+                       debug3("%s: found %s CA key at %s:%ld", __func__,
+                           sshkey_ssh_name(ctx->keys[i]), l->path, l->linenum);
+                       ctx->keys_seen[i] = 1;
+                       return 0;
+               } else if (sshkey_equal(l->key, ctx->keys[i])) {
                        debug3("%s: found %s key at %s:%ld", __func__,
                            sshkey_ssh_name(ctx->keys[i]), l->path, l->linenum);
                        ctx->keys_seen[i] = 1;
                        return 0;
                }
        }
+       if ((l->marker & MRK_REVOKE) != 0)
+               return 0;
        /* This line contained a key that not offered by the server */
        debug3("%s: deprecated %s key at %s:%ld", __func__,
            sshkey_ssh_name(l->key), l->path, l->linenum);
@@ -1961,10 +1976,11 @@ update_known_hosts(struct hostkeys_updat
                if (stat(options.user_hostfiles[i], &sb) != 0) {
                        if (errno == ENOENT) {
                                debug("%s: known hosts file %s does not exist",
-                                   __func__, strerror(errno));
+                                   __func__, options.user_hostfiles[i]);
                        } else {
-                               error("%s: known hosts file %s inaccessible",
-                                   __func__, strerror(errno));
+                               error("%s: known hosts file %s inaccessible: "
+                                   "%s", __func__, options.user_hostfiles[i],
+                                   strerror(errno));
                        }
                        continue;
                }

Reply via email to