Patch for stricthostkey and a multihop fix
Hans Harder
hans at atbas.org
Fri Apr 12 02:08:42 WST 2013
Hi Matt,
No problem, that solution is even better....
I was also thinking about another option for hostkey checking
One of the problems I have with logical hostnames, is that you get a
selected number of different hostkeys back.
On a 2 node cluster I can get 2 different hostkeys for the same
logical hostname.
So it would be nice to have a way that I can say that it should not
abort on the 1st hostname match if the key does not match, but
continue to look for a matching hostname AND hostkey.
Any ideas on how we could still use a hostkey check with that, instead
of being forced to ignore them ?
I was thinking about parsing the known_hosts until a match was done
with the hostname AND the hostkey
So not aborting if the first hostkey of a hostname did not match.
Should not be to difficult in making a patch for that...
Its more difficult to think of a way of how a user would provide that
on the cmdline...
Something else....the TODO file is not up to date...
I took a look to see if I could help out with something, and I saw the
authorized_keys restrictions....
But you already done that :)
Cheers,
Hans
On Thu, Apr 11, 2013 at 2:16 AM, Matt Johnston <matt at ucc.asn.au> wrote:
> Hi,
>
> Thanks for the patch. I think I'll change it slightly to use
> "-y -y" rather than "-Y" - saves using another letter.
>
> Cheers,
> Matt
>
> On Sun, Apr 07, 2013 at 04:03:37PM +0200, Hans Harder wrote:
>> Underneath some modifications against a stock 2013.56 version
>>
>> - Added -Y option to completely ignore check for hostkeys
>> Needed this for connections to logical hosts, same as openssh -o
>> StrictHostKeychecking=no
>>
>> - Added -y and -Y in function multihop_passthrough_args
>>
>> - fix: in function multihop_passthrough_args there was no space kept
>> between the -W and -i args
>> so added always a space after each added arg
>> after last addition the last space is removed.
>>
>> I am new to the dropbear sources, so perhaps I didn't see it
>> correctly....if so please correct me...
>> Overall nice sourcecode, very clean.
>>
>> Hans
>> ---
>> Quote: ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
>>
>>
>> diff -ruBpN dropbear-2013.56/cli-kex.c work/cli-kex.c
>> --- dropbear-2013.56/cli-kex.c 2013-03-21 08:29:34.000000000 -0700
>> +++ work/cli-kex.c 2013-04-07 03:01:31.000000000 -0600
>> @@ -217,6 +217,11 @@ static void checkhostkey(unsigned char*
>> buffer * line = NULL;
>> int ret;
>>
>> + if (!cli_opts.strict_hostkey) {
>> + TRACE(("strict_hostkey disabled, ignoring hostkey check"));
>> + return;
>> + }
>> +
>> hostsfile = open_known_hosts_file(&readonly);
>> if (!hostsfile) {
>> ask_to_confirm(keyblob, keybloblen);
>> diff -ruBpN dropbear-2013.56/cli-runopts.c work/cli-runopts.c
>> --- dropbear-2013.56/cli-runopts.c 2013-03-21 08:29:34.000000000 -0700
>> +++ work/cli-runopts.c 2013-04-07 03:08:59.000000000 -0600
>> @@ -62,6 +62,7 @@ static void printhelp() {
>> "-N Don't run a remote command\n"
>> "-f Run in background after auth\n"
>> "-y Always accept remote
>> host key if unknown\n"
>> + "-Y Always ignore the
>> remote host key\n"
>> "-s Request a subsystem
>> (use by external sftp)\n"
>> #ifdef ENABLE_CLI_PUBKEY_AUTH
>> "-i <identityfile> (multiple
>> allowed)\n"
>> @@ -130,6 +131,7 @@ void cli_getopts(int argc, char ** argv)
>> cli_opts.backgrounded = 0;
>> cli_opts.wantpty = 9; /* 9 means "it hasn't been touched",
>> gets set later */
>> cli_opts.always_accept_key = 0;
>> + cli_opts.strict_hostkey = 1;
>> cli_opts.is_subsystem = 0;
>> #ifdef ENABLE_CLI_PUBKEY_AUTH
>> cli_opts.privkeys = list_new();
>> @@ -215,6 +217,9 @@ void cli_getopts(int argc, char ** argv)
>> case 'y': /* always accept the remote hostkey */
>> cli_opts.always_accept_key = 1;
>> break;
>> + case 'Y': /* always ignore the remote hostkey */
>> + cli_opts.strict_hostkey = 0;
>> + break;
>> case 'p': /* remoteport */
>> next = &cli_opts.remoteport;
>> break;
>> @@ -461,20 +466,32 @@ multihop_passthrough_args() {
>> int total;
>> unsigned int len = 0;
>> m_list_elem *iter;
>> - /* Fill out -i and -W options that make sense for all
>> + /* Fill out -i , -W, -y and -Y options that make sense for all
>> * the intermediate processes */
>> for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
>> {
>> sign_key * key = (sign_key*)iter->item;
>> len += 3 + strlen(key->filename);
>> }
>> - len += 20; // space for -W <size>, terminator.
>> + len += 30; // space for -W <size>, terminator.
>> ret = m_malloc(len);
>> total = 0;
>>
>> + if (cli_opts.always_accept_key)
>> + {
>> + int written = snprintf(ret+total, len-total, "-y ");
>> + total += written;
>> + }
>> +
>> + if (cli_opts.strict_hostkey == 0)
>> + {
>> + int written = snprintf(ret+total, len-total, "-Y ");
>> + total += written;
>> + }
>> +
>> if (opts.recv_window != DEFAULT_RECV_WINDOW)
>> {
>> - int written = snprintf(ret+total, len-total, "-W %d",
>> opts.recv_window);
>> + int written = snprintf(ret+total, len-total, "-W %d ",
>> opts.recv_window);
>> total += written;
>> }
>>
>> @@ -482,11 +499,17 @@ multihop_passthrough_args() {
>> {
>> sign_key * key = (sign_key*)iter->item;
>> const size_t size = len - total;
>> - int written = snprintf(ret+total, size, "-i %s", key->filename);
>> + int written = snprintf(ret+total, size, "-i %s ",
>> key->filename);
>> dropbear_assert((unsigned int)written < size);
>> total += written;
>> }
>> -
>> +
>> + /* if args where passed, total will be not zero, and it will
>> have a space at the end, so remove that */
>> + if (total) total--;
>> +
>> + /* make sure arg string is ended, especially if no args were passed. */
>> + ret[total]='\0';
>> +
>> return ret;
>> }
>>
>> diff -ruBpN dropbear-2013.56/runopts.h work/runopts.h
>> --- dropbear-2013.56/runopts.h 2013-03-21 08:29:35.000000000 -0700
>> +++ work/runopts.h 2013-04-07 01:55:25.000000000 -0700
>> @@ -121,6 +121,7 @@ typedef struct cli_runopts {
>> char *cmd;
>> int wantpty;
>> int always_accept_key;
>> + int strict_hostkey;
>> int no_cmd;
>> int backgrounded;
>> int is_subsystem;
More information about the Dropbear
mailing list