[bug#38478] [PATCH 2/4] ssh: Always authenticate the server [security fi

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#38478] [PATCH 2/4] ssh: Always authenticate the server [security fi

From:	Ludovic Courtès
Subject:	[bug#38478] [PATCH 2/4] ssh: Always authenticate the server [security fix].
Date:	Tue, 3 Dec 2019 22:15:55 +0100

Until now, users of 'open-ssh-session', including "guix deploy" and
"GUIX_DAEMON_SOCKET=ssh://…" (but not "guix offload"), would not
authenticate the SSH server they're talking to.

* guix/ssh.scm (open-ssh-session): Call 'authenticate-server'.
---
 guix/ssh.scm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/guix/ssh.scm b/guix/ssh.scm
index f34e71392b..519c723155 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -125,6 +125,17 @@ Throw an error on failure."
 
     (match (connect! session)
       ('ok
+       ;; Authenticate against ~/.ssh/known_hosts.
+       (match (authenticate-server session)
+         ('ok #f)
+         (reason
+          (raise (condition
+                  (&message
+                   (message (format #f (G_ "failed to authenticate \
+server at '~a': ~a")
+                                    (session-get session 'host)
+                                    reason)))))))
+
        ;; Use public key authentication, via the SSH agent if it's available.
        (match (userauth-public-key/auto! session)
          ('success
-- 
2.24.0

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#38478] [PATCH 0/4] "guix deploy" authenticates SSH servers [security], Ludovic Courtès, 2019/12/03
- [bug#38478] [PATCH 1/4] ssh: Add 'authenticate-server*' and use it for offloading., Ludovic Courtès, 2019/12/03
  - [bug#38478] [PATCH 2/4] ssh: Always authenticate the server [security fix]., Ludovic Courtès <=
  - [bug#38478] [PATCH 3/4] ssh: 'open-ssh-session' can be passed the expected host key., Ludovic Courtès, 2019/12/03
  - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Ludovic Courtès, 2019/12/03
    - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Jakob L. Kreuze, 2019/12/04
    - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Ludovic Courtès, 2019/12/04
    - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Jakob L. Kreuze, 2019/12/05
    - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Ludovic Courtès, 2019/12/06
    - [bug#38478] [PATCH 4/4] machine: ssh: <machine-ssh-configuration> can include the host key., Ludovic Courtès, 2019/12/06

Prev by Date: [bug#38478] [PATCH 1/4] ssh: Add 'authenticate-server*' and use it for offloading.
Next by Date: [bug#38478] [PATCH 3/4] ssh: 'open-ssh-session' can be passed the expected host key.
Previous by thread: [bug#38478] [PATCH 1/4] ssh: Add 'authenticate-server*' and use it for offloading.
Next by thread: [bug#38478] [PATCH 3/4] ssh: 'open-ssh-session' can be passed the expected host key.
Index(es):
- Date
- Thread