4d3fc8b057
This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
50 lines
1.7 KiB
Bash
50 lines
1.7 KiB
Bash
# $OpenBSD: keygen-sshfp.sh,v 1.3 2023/02/10 05:06:03 djm Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="keygen-sshfp"
|
|
|
|
trace "keygen fingerprints"
|
|
fp=`${SSHKEYGEN} -r test -f ${SRC}/ed25519_openssh.pub | \
|
|
awk '$5=="1"{print $6}'`
|
|
if [ "$fp" != "8a8647a7567e202ce317e62606c799c53d4c121f" ]; then
|
|
fail "keygen fingerprint sha1"
|
|
fi
|
|
fp=`${SSHKEYGEN} -r test -f ${SRC}/ed25519_openssh.pub | \
|
|
awk '$5=="2"{print $6}'`
|
|
if [ "$fp" != \
|
|
"54a506fb849aafb9f229cf78a94436c281efcb4ae67c8a430e8c06afcb5ee18f" ]; then
|
|
fail "keygen fingerprint sha256"
|
|
fi
|
|
|
|
# Expect two lines of output without an explicit algorithm
|
|
fp=`${SSHKEYGEN} -r test -f ${SRC}/ed25519_openssh.pub | wc -l`
|
|
if [ $(($fp + 0)) -ne 2 ] ; then
|
|
fail "incorrect number of SSHFP records $fp (expected 2)"
|
|
fi
|
|
|
|
# Test explicit algorithm selection
|
|
exp="test IN SSHFP 4 1 8a8647a7567e202ce317e62606c799c53d4c121f"
|
|
fp=`${SSHKEYGEN} -Ohashalg=sha1 -r test -f ${SRC}/ed25519_openssh.pub`
|
|
if [ "x$exp" != "x$fp" ] ; then
|
|
fail "incorrect SHA1 SSHFP output"
|
|
fi
|
|
|
|
exp="test IN SSHFP 4 2 54a506fb849aafb9f229cf78a94436c281efcb4ae67c8a430e8c06afcb5ee18f"
|
|
fp=`${SSHKEYGEN} -Ohashalg=sha256 -r test -f ${SRC}/ed25519_openssh.pub`
|
|
if [ "x$exp" != "x$fp" ] ; then
|
|
fail "incorrect SHA256 SSHFP output"
|
|
fi
|
|
|
|
if ${SSH} -Q key-plain | grep ssh-rsa >/dev/null; then
|
|
fp=`${SSHKEYGEN} -r test -f ${SRC}/rsa_openssh.pub | awk '$5=="1"{print $6}'`
|
|
if [ "$fp" != "99c79cc09f5f81069cc017cdf9552cfc94b3b929" ]; then
|
|
fail "keygen fingerprint sha1"
|
|
fi
|
|
fp=`${SSHKEYGEN} -r test -f ${SRC}/rsa_openssh.pub | awk '$5=="2"{print $6}'`
|
|
if [ "$fp" != \
|
|
"e30d6b9eb7a4de495324e4d5870b8220577993ea6af417e8e4a4f1c5bf01a9b6" ]; then
|
|
fail "keygen fingerprint sha256"
|
|
fi
|
|
fi
|
|
|