summaryrefslogtreecommitdiffstats
path: root/src/vfs/sftpfs/connection.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/vfs/sftpfs/connection.c')
-rw-r--r--src/vfs/sftpfs/connection.c49
1 files changed, 45 insertions, 4 deletions
diff --git a/src/vfs/sftpfs/connection.c b/src/vfs/sftpfs/connection.c
index d2466de..6132675 100644
--- a/src/vfs/sftpfs/connection.c
+++ b/src/vfs/sftpfs/connection.c
@@ -1,7 +1,7 @@
/* Virtual File System: SFTP file system.
The internal functions: connections
- Copyright (C) 2011-2023
+ Copyright (C) 2011-2024
Free Software Foundation, Inc.
Written by:
@@ -74,6 +74,37 @@ static const char *const hostkey_method_ssh_ecdsa_256 = "ecdsa-sha2-nistp256";
static const char *const hostkey_method_ssh_rsa = "ssh-rsa";
static const char *const hostkey_method_ssh_dss = "ssh-dss";
+/* *INDENT-OFF* */
+static const char *default_hostkey_methods =
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_256
+ "ecdsa-sha2-nistp256,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_384
+ "ecdsa-sha2-nistp384,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_521
+ "ecdsa-sha2-nistp521,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_256
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_384
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_521
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com,"
+#endif
+#ifdef LIBSSH2_KNOWNHOST_KEY_ED25519
+ "ssh-ed25519,"
+ "ssh-ed25519-cert-v01@openssh.com,"
+#endif
+ "rsa-sha2-256,"
+ "rsa-sha2-512,"
+ "ssh-rsa,"
+ "ssh-rsa-cert-v01@openssh.com,"
+ "ssh-dss";
+/* *INDENT-ON* */
+
/**
*
* The current implementation of know host key checking has following limitations:
@@ -257,8 +288,10 @@ sftpfs_read_known_hosts (struct vfs_s_super *super, GError ** mcerror)
continue;
if (store->name == NULL)
- found = TRUE;
- else if (store->name[0] != '[')
+ /* Ignore hashed hostnames. Currently, libssh2 offers no way for us to match it */
+ continue;
+
+ if (store->name[0] != '[')
found = strcmp (store->name, super->path_element->host) == 0;
else
{
@@ -285,6 +318,7 @@ sftpfs_read_known_hosts (struct vfs_s_super *super, GError ** mcerror)
{
int mask;
const char *hostkey_method = NULL;
+ char *hostkey_methods;
mask = store->typemask & LIBSSH2_KNOWNHOST_KEY_MASK;
@@ -326,8 +360,15 @@ sftpfs_read_known_hosts (struct vfs_s_super *super, GError ** mcerror)
return FALSE;
}
+ /* Append the default hostkey methods (with lower priority).
+ * Since we ignored hashed hostnames, the actual matching host
+ * key might have different type than the one found in
+ * known_hosts for non-hashed hostname. Methods not supported
+ * by libssh2 it are ignored. */
+ hostkey_methods = g_strdup_printf ("%s,%s", hostkey_method, default_hostkey_methods);
rc = libssh2_session_method_pref (sftpfs_super->session, LIBSSH2_METHOD_HOSTKEY,
- hostkey_method);
+ hostkey_methods);
+ g_free (hostkey_methods);
if (rc < 0)
goto err;
}