Skip to content

Commit

Permalink
Merge 1c12f15 into cb4fc8c
Browse files Browse the repository at this point in the history
  • Loading branch information
@ploxiln
ploxiln committed Apr 24, 2017
2 parents cb4fc8c + 1c12f15 commit 1b63e11
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 21 deletions.
4 changes: 2 additions & 2 deletions paramiko/auth_handler.py
View file
Expand Up @@ -416,8 +416,8 @@ def _parse_userauth_request(self, m):
except SSHException as e:
self.transport._log(INFO, 'Auth rejected: public key: %s' % str(e))
key = None
except:
self.transport._log(INFO, 'Auth rejected: unsupported or mangled public key')
except Exception as e:
self.transport._log(INFO, 'Auth rejected: unsupported or mangled public key: %s' % str(e))
key = None
if key is None:
self._disconnect_no_more_auth()
Expand Down
40 changes: 21 additions & 19 deletions paramiko/client.py
View file
Expand Up @@ -335,36 +335,38 @@ def connect(
t.set_log_channel(self._log_channel)
if banner_timeout is not None:
t.banner_timeout = banner_timeout
t.start_client(timeout=timeout)
t.set_sshclient(self)
ResourceManager.register(self, t)

server_key = t.get_remote_server_key()
keytype = server_key.get_name()

if port == SSH_PORT:
server_hostkey_name = hostname
else:
server_hostkey_name = "[%s]:%d" % (hostname, port)
our_server_keys = None

# If GSS-API Key Exchange is performed we are not required to check the
# host key, because the host is authenticated via GSS-API / SSPI as
# well as our client.
if not self._transport.use_gss_kex:
our_server_key = self._system_host_keys.get(server_hostkey_name,
{}).get(keytype, None)
if our_server_key is None:
our_server_key = self._host_keys.get(server_hostkey_name,
{}).get(keytype, None)
if our_server_key is None:
# will raise exception if the key is rejected; let that fall out
self._policy.missing_host_key(self, server_hostkey_name,
server_key)
# if the callback returns, assume the key is ok
our_server_key = server_key
our_server_keys = self._system_host_keys.get(server_hostkey_name)
if our_server_keys is None:
our_server_keys = self._host_keys.get(server_hostkey_name)
if our_server_keys is not None:
t._preferred_keys = list(our_server_keys.keys())

if server_key != our_server_key:
raise BadHostKeyException(hostname, server_key, our_server_key)
t.start_client(timeout=timeout)
t.set_sshclient(self)
ResourceManager.register(self, t)

if not self._transport.use_gss_kex:
server_key = t.get_remote_server_key()
if our_server_keys is None:
# will raise exception if the key is rejected; let that fall out
self._policy.missing_host_key(self, server_hostkey_name, server_key)
else:
our_key = our_server_keys.get(server_key.get_name())
if our_key != server_key:
if our_key is None:
our_key = list(our_server_keys.values())[0]
raise BadHostKeyException(hostname, server_key, our_key)

if username is None:
username = getpass.getuser()
Expand Down
3 changes: 3 additions & 0 deletions paramiko/transport.py
View file
Expand Up @@ -2005,6 +2005,9 @@ def _parse_kex_init(self, m):
self.host_key_type = agreed_keys[0]
if self.server_mode and (self.get_server_key() is None):
raise SSHException('Incompatible ssh peer (can\'t match requested host key type)')
self._log_agreement(
'HostKey', agreed_keys[0], agreed_keys[0]
)

if self.server_mode:
agreed_local_ciphers = list(filter(self._preferred_ciphers.__contains__,
Expand Down
4 changes: 4 additions & 0 deletions sites/www/changelog.rst
View file
Expand Up @@ -2,6 +2,10 @@
Changelog
=========

* :bug:`865` SSHClient requests the type of host key it has (e.g. from
known_hosts) and does not consider a different type to be a "Missing"
host key. This fixes the case where an ecdsa key is in known_hosts and
the server also has an rsa host key. Thanks to Pierce Lopez.
* :bug:`683` Make `util.log_to_file()` append instead of replace. Thanks
to ``@vlcinsky`` for the report.
* :release:`1.18.2 <2017-02-20>`
Expand Down

0 comments on commit 1b63e11

Please sign in to comment.