90 lines
2.8 KiB
Diff
90 lines
2.8 KiB
Diff
Index: crypto/openssh/auth2-chall.c
|
|
===================================================================
|
|
--- crypto/openssh/auth2-chall.c (revision 285923)
|
|
+++ crypto/openssh/auth2-chall.c (working copy)
|
|
@@ -82,6 +82,7 @@ struct KbdintAuthctxt
|
|
void *ctxt;
|
|
KbdintDevice *device;
|
|
u_int nreq;
|
|
+ u_int devices_done;
|
|
};
|
|
|
|
#ifdef USE_PAM
|
|
@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
|
|
if (len == 0)
|
|
break;
|
|
for (i = 0; devices[i]; i++) {
|
|
- if (!auth2_method_allowed(authctxt,
|
|
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
|
|
+ !auth2_method_allowed(authctxt,
|
|
"keyboard-interactive", devices[i]->name))
|
|
continue;
|
|
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
|
|
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
|
|
+ len) == 0) {
|
|
kbdintctxt->device = devices[i];
|
|
+ kbdintctxt->devices_done |= 1 << i;
|
|
+ }
|
|
}
|
|
t = kbdintctxt->devices;
|
|
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
|
|
Index: crypto/openssh/sshconnect.c
|
|
===================================================================
|
|
--- crypto/openssh/sshconnect.c (revision 285923)
|
|
+++ crypto/openssh/sshconnect.c (working copy)
|
|
@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
|
|
{
|
|
int flags = 0;
|
|
char *fp;
|
|
+ Key *plain = NULL;
|
|
|
|
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
|
debug("Server host key: %s %s", key_type(host_key), fp);
|
|
free(fp);
|
|
|
|
- /* XXX certs are not yet supported for DNS */
|
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
|
- if (flags & DNS_VERIFY_FOUND) {
|
|
-
|
|
- if (options.verify_host_key_dns == 1 &&
|
|
- flags & DNS_VERIFY_MATCH &&
|
|
- flags & DNS_VERIFY_SECURE)
|
|
- return 0;
|
|
-
|
|
- if (flags & DNS_VERIFY_MATCH) {
|
|
- matching_host_key_dns = 1;
|
|
- } else {
|
|
- warn_changed_key(host_key);
|
|
- error("Update the SSHFP RR in DNS with the new "
|
|
- "host key to get rid of this message.");
|
|
+ if (options.verify_host_key_dns) {
|
|
+ /*
|
|
+ * XXX certs are not yet supported for DNS, so downgrade
|
|
+ * them and try the plain key.
|
|
+ */
|
|
+ plain = key_from_private(host_key);
|
|
+ if (key_is_cert(plain))
|
|
+ key_drop_cert(plain);
|
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
|
+ if (flags & DNS_VERIFY_FOUND) {
|
|
+ if (options.verify_host_key_dns == 1 &&
|
|
+ flags & DNS_VERIFY_MATCH &&
|
|
+ flags & DNS_VERIFY_SECURE) {
|
|
+ key_free(plain);
|
|
+ return 0;
|
|
+ }
|
|
+ if (flags & DNS_VERIFY_MATCH) {
|
|
+ matching_host_key_dns = 1;
|
|
+ } else {
|
|
+ warn_changed_key(plain);
|
|
+ error("Update the SSHFP RR in DNS "
|
|
+ "with the new host key to get rid "
|
|
+ "of this message.");
|
|
+ }
|
|
}
|
|
}
|
|
+ key_free(plain);
|
|
}
|
|
|
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|