GUACAMOLE-527: Check either provided key or key file, if it exists.
This commit is contained in:
parent
aec2be6da2
commit
ac2b4f8d12
@ -520,17 +520,16 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check known_hosts, start by getting known_hosts file of user running guacd */
|
/* SSH known host key checking. */
|
||||||
struct passwd *pw = getpwuid(getuid());
|
|
||||||
const char *known_hosts = strcat(pw->pw_dir, "/.ssh/known_hosts");
|
|
||||||
LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session);
|
LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session);
|
||||||
libssh2_knownhost_readfile(ssh_known_hosts, known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
|
int num_known_hosts = 0;
|
||||||
|
|
||||||
/* Add host key provided from settings */
|
/* Add host key provided from settings */
|
||||||
if (host_key && strcmp(host_key, "") > 0) {
|
if (host_key && strcmp(host_key, "") != 0) {
|
||||||
|
|
||||||
int kh_add = libssh2_knownhost_readline(ssh_known_hosts, host_key, strlen(host_key),
|
int kh_add = libssh2_knownhost_readline(ssh_known_hosts, host_key, strlen(host_key),
|
||||||
LIBSSH2_KNOWNHOST_FILE_OPENSSH);
|
LIBSSH2_KNOWNHOST_FILE_OPENSSH);
|
||||||
|
num_known_hosts++;
|
||||||
|
|
||||||
if (kh_add)
|
if (kh_add)
|
||||||
guac_client_log(client, GUAC_LOG_WARNING, "Failed to add provided host key"
|
guac_client_log(client, GUAC_LOG_WARNING, "Failed to add provided host key"
|
||||||
@ -538,6 +537,14 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Otherwise, we look for a ssh_known_hosts file within GUACAMOLE_HOME and read that in. */
|
||||||
|
else {
|
||||||
|
const char *known_hosts = "/etc/guacamole/ssh_known_hosts";
|
||||||
|
num_known_hosts = libssh2_knownhost_readfile(ssh_known_hosts, known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If we've found a provided set of host keys, check against them. */
|
||||||
|
if (num_known_hosts > 0) {
|
||||||
/* Get fingerprint of host we're connecting to */
|
/* Get fingerprint of host we're connecting to */
|
||||||
size_t fp_len;
|
size_t fp_len;
|
||||||
int fp_type;
|
int fp_type;
|
||||||
@ -563,12 +570,12 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
|
|||||||
"Host key match found for %s", hostname);
|
"Host key match found for %s", hostname);
|
||||||
break;
|
break;
|
||||||
case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
|
case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
|
||||||
guac_client_log(client, GUAC_LOG_WARNING,
|
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
|
||||||
"Host key not found for %s.", hostname);
|
"Host key not found for %s.", hostname);
|
||||||
break;
|
break;
|
||||||
case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
|
case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
|
||||||
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
|
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
|
||||||
"Host key does not match host entry for %s", hostname);
|
"Host key does not match known hosts entry for %s", hostname);
|
||||||
break;
|
break;
|
||||||
case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
|
case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
|
||||||
default:
|
default:
|
||||||
@ -576,6 +583,7 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
|
|||||||
"Host %s could not be checked against known hosts.",
|
"Host %s could not be checked against known hosts.",
|
||||||
hostname);
|
hostname);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Store basic session data */
|
/* Store basic session data */
|
||||||
common_session->client = client;
|
common_session->client = client;
|
||||||
|
Loading…
Reference in New Issue
Block a user