diff options
author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2010-04-17 20:16:52 -0400 |
---|---|---|
committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2010-04-17 20:16:52 -0400 |
commit | de07dd810164ec5c3d5798b45f0b98f92f9d994d (patch) | |
tree | 6bc72babc2db83b5f6c9d3893a7fa05e1952c7de /src | |
parent | b91c4d0c37daa741d45271fa7e961220bacbe91a (diff) |
do not try to add to known_hosts if HASH_KNOWN_HOSTS is true but ssh-keygen is not available (includes some comments about how to fix these corner cases).
Diffstat (limited to 'src')
-rw-r--r-- | src/share/common | 22 | ||||
-rw-r--r-- | src/share/m/ssh_proxycommand | 12 |
2 files changed, 28 insertions, 6 deletions
diff --git a/src/share/common b/src/share/common index adec5a1..9e40302 100644 --- a/src/share/common +++ b/src/share/common @@ -885,13 +885,25 @@ process_host_known_hosts() { # hash if specified if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then + if (type ssh-keygen >/dev/null) ; then # FIXME: this is really hackish cause ssh-keygen won't # hash from stdin to stdout - tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) - ssh2known_hosts "$host" "$sshKey" > "$tmpfile" - ssh-keygen -H -f "$tmpfile" 2>/dev/null - cat "$tmpfile" >> "$KNOWN_HOSTS" - rm -f "$tmpfile" "${tmpfile}.old" + tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX) + ssh2known_hosts "$host" "$sshKey" > "$tmpfile" + ssh-keygen -H -f "$tmpfile" 2>/dev/null + cat "$tmpfile" >> "$KNOWN_HOSTS" + rm -f "$tmpfile" "${tmpfile}.old" + else + # FIXME: we could do this without needing ssh-keygen. hashed + # known_hosts looks like: |1|X|Y where 1 means SHA1 (nothing + # else is defined in openssh sources), X is the salt (same + # length as the digest output), base64-encoded, and Y is the + # digested hostname (also base64-encoded). + + # see hostfile.{c,h} in openssh sources. + + failure "Cannot hash known_hosts as requested" + fi else ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" fi diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 5f7a63b..5fb2ce4 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -237,7 +237,17 @@ else if (type ssh-keygen &>/dev/null) ; then hostKey=$(ssh-keygen -F "$HOST" -f "$KNOWN_HOSTS" 2>/dev/null) else - # FIXME: we're not dealing with digested known_hosts if we don't + # FIXME: we're not dealing with digested known_hosts if we + # don't have ssh-keygen + + # But we could do this without needing ssh-keygen. hashed + # known_hosts looks like: |1|X|Y where 1 means SHA1 (nothing + # else is defined in openssh sources), X is the salt (same + # length as the digest output), base64-encoded, and Y is the + # digested hostname (also base64-encoded). + + # see hostfile.{c,h} in openssh sources. + hostKey=$(cut -f1 -d\ < .ssh/known_hosts | tr ',' '\n' | grep -Fx -e "$HOST" || :) fi fi |