GUACAMOLE-527: Check either provided key or key file, if it exists.

This commit is contained in:
Nick Couchman 2018-05-27 16:46:36 -04:00 committed by Nick Couchman
parent aec2be6da2
commit ac2b4f8d12

View File

@ -520,17 +520,16 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
return NULL; return NULL;
} }
/* Check known_hosts, start by getting known_hosts file of user running guacd */ /* SSH known host key checking. */
struct passwd *pw = getpwuid(getuid());
const char *known_hosts = strcat(pw->pw_dir, "/.ssh/known_hosts");
LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session); LIBSSH2_KNOWNHOSTS *ssh_known_hosts = libssh2_knownhost_init(session);
libssh2_knownhost_readfile(ssh_known_hosts, known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH); int num_known_hosts = 0;
/* Add host key provided from settings */ /* Add host key provided from settings */
if (host_key && strcmp(host_key, "") > 0) { if (host_key && strcmp(host_key, "") != 0) {
int kh_add = libssh2_knownhost_readline(ssh_known_hosts, host_key, strlen(host_key), int kh_add = libssh2_knownhost_readline(ssh_known_hosts, host_key, strlen(host_key),
LIBSSH2_KNOWNHOST_FILE_OPENSSH); LIBSSH2_KNOWNHOST_FILE_OPENSSH);
num_known_hosts++;
if (kh_add) if (kh_add)
guac_client_log(client, GUAC_LOG_WARNING, "Failed to add provided host key" guac_client_log(client, GUAC_LOG_WARNING, "Failed to add provided host key"
@ -538,6 +537,14 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
} }
/* Otherwise, we look for a ssh_known_hosts file within GUACAMOLE_HOME and read that in. */
else {
const char *known_hosts = "/etc/guacamole/ssh_known_hosts";
num_known_hosts = libssh2_knownhost_readfile(ssh_known_hosts, known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
}
/* If we've found a provided set of host keys, check against them. */
if (num_known_hosts > 0) {
/* Get fingerprint of host we're connecting to */ /* Get fingerprint of host we're connecting to */
size_t fp_len; size_t fp_len;
int fp_type; int fp_type;
@ -563,12 +570,12 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
"Host key match found for %s", hostname); "Host key match found for %s", hostname);
break; break;
case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND: case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
guac_client_log(client, GUAC_LOG_WARNING, guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Host key not found for %s.", hostname); "Host key not found for %s.", hostname);
break; break;
case LIBSSH2_KNOWNHOST_CHECK_MISMATCH: case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR, guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Host key does not match host entry for %s", hostname); "Host key does not match known hosts entry for %s", hostname);
break; break;
case LIBSSH2_KNOWNHOST_CHECK_FAILURE: case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
default: default:
@ -576,6 +583,7 @@ guac_common_ssh_session* guac_common_ssh_create_session(guac_client* client,
"Host %s could not be checked against known hosts.", "Host %s could not be checked against known hosts.",
hostname); hostname);
} }
}
/* Store basic session data */ /* Store basic session data */
common_session->client = client; common_session->client = client;