[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/07: ssh: Always authenticate the server [security fix].
From: |
guix-commits |
Subject: |
05/07: ssh: Always authenticate the server [security fix]. |
Date: |
Wed, 4 Dec 2019 12:16:20 -0500 (EST) |
civodul pushed a commit to branch master
in repository guix.
commit f5c180180e848b83d8ccdf6015cd7f214372d599
Author: Ludovic Courtès <address@hidden>
Date: Tue Dec 3 21:41:54 2019 +0100
ssh: Always authenticate the server [security fix].
Until now, users of 'open-ssh-session', including "guix deploy" and
"GUIX_DAEMON_SOCKET=ssh://…" (but not "guix offload"), would not
authenticate the SSH server they're talking to.
* guix/ssh.scm (open-ssh-session): Call 'authenticate-server'.
---
guix/ssh.scm | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/guix/ssh.scm b/guix/ssh.scm
index f34e713..519c723 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -125,6 +125,17 @@ Throw an error on failure."
(match (connect! session)
('ok
+ ;; Authenticate against ~/.ssh/known_hosts.
+ (match (authenticate-server session)
+ ('ok #f)
+ (reason
+ (raise (condition
+ (&message
+ (message (format #f (G_ "failed to authenticate \
+server at '~a': ~a")
+ (session-get session 'host)
+ reason)))))))
+
;; Use public key authentication, via the SSH agent if it's available.
(match (userauth-public-key/auto! session)
('success
- branch master updated (8548b3d -> ed15dfc), guix-commits, 2019/12/04
- 01/07: substitute: Remove unused procedure., guix-commits, 2019/12/04
- 05/07: ssh: Always authenticate the server [security fix].,
guix-commits <=
- 04/07: ssh: Add 'authenticate-server*' and use it for offloading., guix-commits, 2019/12/04
- 06/07: ssh: 'open-ssh-session' can be passed the expected host key., guix-commits, 2019/12/04
- 02/07: services: Add GNOME Keyring service., guix-commits, 2019/12/04
- 07/07: machine: ssh: <machine-ssh-configuration> can include the host key., guix-commits, 2019/12/04
- 03/07: gnu: bitlbee: Use Python 3., guix-commits, 2019/12/04