http://bugzilla.mindrot.org/show_bug.cgi?id=910
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |foomzilla at fuhm.net
------- Additional Comments From djm at mindrot.org 2005-04-21 18:16 -------
*** Bug 454 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
schabi at users.sourceforge.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |schabi at users.sourceforge.net
------- Additional Comments From schabi at users.sourceforge.net 2005-05-12
18:33 -------
Any chance that this patch will actually be applied?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
Paul-Ebermann at gmx.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Paul-Ebermann at gmx.de
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910 ------- Additional Comments From dtucker at zip.com.au 2005-05-14 13:12 ------- Probably not as it stands because it breaks every known_hosts file in existence: $ grep myserver ~/.ssh/known_hosts myserver,192.168.32.1 ssh-rsa AAAA[snip] $ ./ssh -o hashknownhosts=no gate The authenticity of host 'myserver (192.168.32.1 at 22)' can't be established. Perhaps it ought to check for a matching "server at port" first, then "server" before failing? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #719 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-05-14 13:19 -------
Created an attachment (id=912)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=912&action=view)
Update patch #719 to -current
Updated to -current. Only looked at it briefly, but there seems to be
unnecessary changes in there (eg the changes to ssh_kex2()).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910 ------- Additional Comments From dtucker at zip.com.au 2005-05-14 16:40 ------- (In reply to comment #15)> Perhaps it ought to check for a matching "server at port" first, then "server" > before failing?Thinking about this: how about if a missing "@port" portion implied "@22", and when creating new entries for port 22 the "@port" portion was omitted? That would mean that a patched ssh would still create known_hosts files that are compatible with older versions for the common case (handy for, eg, an NFS-mounted /home shared by multiple hosts). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910 ------- Additional Comments From djm at mindrot.org 2005-05-14 16:55 ------- That would also allow the correct use of hashed hostnames without the @port appendage. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #912 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-05-14 19:33 -------
Created an attachment (id=913)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=913&action=view)
A key of "hostname" implies port 22, also fix HashKnownHosts
Implement semantics proposed in comment #17, and make it play nice with
HashKnownHosts. The cases I can see are:
a) "ssh hostname" stores a key for "hostname"
b) "ssh -p 222 hostname" stores a key for "hostname at 222".
c) "ssh -p 222 -o hostkeyalias=foo hostname" stores a key for
"foo".
The only change in semantics I can see is for case b) when there's a key for
"hostname" but not "hostname at 222". Without the patch
it'll match "hostname",
with the patch it'll give a "no matching key" error. I think this
is probably
acceptable.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #913 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-05-14 22:25 -------
Created an attachment (id=914)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=914&action=view)
known hosts port patch, cleaned up, updated man page
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910 ------- Additional Comments From djm at mindrot.org 2005-05-21 09:38 ------- (From update of attachment 914)>Index: sshconnect.c >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect.c,v >retrieving revision 1.129 >diff -u -p -r1.129 sshconnect.c >--- sshconnect.c 14 Mar 2005 12:08:12 -0000 1.129 >+++ sshconnect.c 14 May 2005 12:13:10 -0000...>+ if (snprintf(hoststr, len, "%s@%hu", host, port) >= len) >+ fatal("check_host_key: snprintf failed"); >+ len = strlen(ip) + sizeof(port) * 4 + 2; >+ ipstr = xmalloc(len); >+ if (snprintf(ipstr, len, "%s@%hu", ip, port) >= len) >+ fatal("check_host_key: snprintf failed");Current style is to check snprintf's return != -1 and < len because of old busted implementations that return -1. I think our snprintf returns >= len on truncation, but we should set a good example anyway. Otherwise this looks pretty much OK. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910 ------- Additional Comments From dtucker at zip.com.au 2005-05-21 11:53 ------- (From update of attachment 914) Also noticed this minor improvement:>+ u_short port = options.port ? options.port : SSH_DEFAULT_PORT;[...]>- ssh_kex2(host, hostaddr); >+ ssh_kex2(host, port, hostaddr);Since check_host_key() will happily accept a port of zero as meaning the default, we could just feed it options.port. In fact, we could do away with the extra argument entirely and just use options.port directly, which would cut the diff a bit. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=910
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #914 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-05-21 12:33 -------
Created an attachment (id=920)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=920&action=view)
port-aware known hosts, simplified
Used options.port rather than passing a port number around as an argument.
This reduced the overall diff by about 25%. Should still behave exactly the
same as attachment #914.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [PATCH] Use canonical hostname for DNS SSHFP lookup
- SSHFP issue
- [PATCH] cleanup of global variables server/client_version_string in sshconnect.c
- Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
- [Bug 910] known_hosts port numbers