Skip to content

Commit c516197

Browse files
Ignore bad hostkeys in known_hosts file
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
1 parent 27861e9 commit c516197

File tree

3 files changed

+18
-0
lines changed

3 files changed

+18
-0
lines changed

hostfile.c

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,14 @@
6363
#include "hmac.h"
6464
#include "sshbuf.h"
6565

66+
static int required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
67+
68+
void
69+
hostfile_set_minimum_rsa_size(int size)
70+
{
71+
required_rsa_size = size;
72+
}
73+
6674
/* XXX hmac is too easy to dictionary attack; use bcrypt? */
6775

6876
static int
@@ -233,6 +241,7 @@ record_hostkey(struct hostkey_foreach_line *l, void *_ctx)
233241
struct load_callback_ctx *ctx = (struct load_callback_ctx *)_ctx;
234242
struct hostkeys *hostkeys = ctx->hostkeys;
235243
struct hostkey_entry *tmp;
244+
int r = 0;
236245

237246
if (l->status == HKF_STATUS_INVALID) {
238247
/* XXX make this verbose() in the future */
@@ -241,6 +250,12 @@ record_hostkey(struct hostkey_foreach_line *l, void *_ctx)
241250
return 0;
242251
}
243252

253+
if ((r = sshkey_check_rsa_length(l->key, required_rsa_size)) != 0) {
254+
debug2_f("%s:%ld: ignoring hostkey: %s",
255+
l->path, l->linenum, ssh_err(r));
256+
return 0;
257+
}
258+
244259
debug3_f("found %skey type %s in file %s:%lu",
245260
l->marker == MRK_NONE ? "" :
246261
(l->marker == MRK_CA ? "ca " : "revoked "),

hostfile.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,5 +119,6 @@ int hostkeys_foreach_file(const char *path, FILE *f,
119119
const char *host, const char *ip, u_int options, u_int note);
120120

121121
void hostfile_create_user_ssh_dir(const char *, int);
122+
void hostfile_set_minimum_rsa_size(int);
122123

123124
#endif

ssh.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,7 @@
109109
#include "ssherr.h"
110110
#include "myproposal.h"
111111
#include "utf8.h"
112+
#include "hostfile.h"
112113

113114
#ifdef ENABLE_PKCS11
114115
#include "ssh-pkcs11.h"
@@ -1386,6 +1387,7 @@ main(int ac, char **av)
13861387
options.update_hostkeys = 0;
13871388
}
13881389
}
1390+
hostfile_set_minimum_rsa_size(options.required_rsa_size);
13891391
if (options.connection_attempts <= 0)
13901392
fatal("Invalid number of ConnectionAttempts");
13911393

0 commit comments

Comments
 (0)