summaryrefslogtreecommitdiffstats
path: root/clientloop.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-01-29 08:51:30 +0100
committerDamien Miller <djm@mindrot.org>2020-01-29 08:52:55 +0100
commit101ebc3a8cfa78d2e615afffbef9861bbbabf1ff (patch)
tree9a145d973b01259e3c6887b431350da6f9c13e37 /clientloop.c
parentupstream: changes to support FIDO attestation (diff)
downloadopenssh-101ebc3a8cfa78d2e615afffbef9861bbbabf1ff.tar.xz
openssh-101ebc3a8cfa78d2e615afffbef9861bbbabf1ff.zip
upstream: give more context to UpdateHostKeys messages, mentioning
that the changes are validated by the existing trusted host key. Prompted by espie@ feedback and ok markus@ OpenBSD-Commit-ID: b3d95f4a45f2692f4143b9e77bb241184dbb8dc5
Diffstat (limited to 'clientloop.c')
-rw-r--r--clientloop.c23
1 files changed, 20 insertions, 3 deletions
diff --git a/clientloop.c b/clientloop.c
index f02fc5811..175b84802 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.335 2020/01/26 00:14:45 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.336 2020/01/29 07:51:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1888,11 +1888,22 @@ hostkeys_find(struct hostkey_foreach_line *l, void *_ctx)
}
static void
-update_known_hosts(struct hostkeys_update_ctx *ctx)
+hostkey_change_preamble(void)
{
- int r, was_raw = 0;
LogLevel loglevel = options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK ?
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE;
+
+ do_log2(loglevel, "The server has updated its host keys.");
+ do_log2(loglevel, "These changes were verified by the server's "
+ "existing trusted key.");
+}
+
+static void
+update_known_hosts(struct hostkeys_update_ctx *ctx)
+{
+ int r, was_raw = 0, first = 1;
+ int asking = options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK;
+ LogLevel loglevel = asking ? SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE;
char *fp, *response;
size_t i;
struct stat sb;
@@ -1903,16 +1914,22 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
if ((fp = sshkey_fingerprint(ctx->keys[i],
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
+ if (first && asking)
+ hostkey_change_preamble();
do_log2(loglevel, "Learned new hostkey: %s %s",
sshkey_type(ctx->keys[i]), fp);
+ first = 0;
free(fp);
}
for (i = 0; i < ctx->nold; i++) {
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
+ if (first && asking)
+ hostkey_change_preamble();
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
sshkey_type(ctx->old_keys[i]), fp);
+ first = 0;
free(fp);
}
if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {