New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSHClient: fix the host key test (2.2) #1059

Merged
merged 4 commits into from Sep 12, 2017

Conversation

Projects
None yet
3 participants
@akruis
Contributor

akruis commented Sep 12, 2017

Same as pull request #1057, but for paramiko 2.2.

akruis added some commits Aug 1, 2017

SSHClient: fix the host key test
Skip the host key check only, if the transport actually used
gssapi-keyex. Add tests for the missing-host-key RejectPolicy.

Before this change, a man-in-the-middle attack on the paramiko ssh
client with gss_kex=True was possible by having a server that does not
support gssapi-keyex and gives any or no host key.
Transport gssapi-keyex: set the gss_kex_used flag late
Set the flag gss_kex_used only after a gssapi-keyex has been
successfully completed. This change prevents a wrong value in case of
exceptions during the gssapi-keyex handshake.
@ploxiln

This comment has been minimized.

Contributor

ploxiln commented Sep 12, 2017

No, you shouldn't open a PR for every branch. Just one for 1.7, and one for 2.0

@akruis

This comment has been minimized.

Contributor

akruis commented Sep 12, 2017

@ploxiln: The fix for 2.2 is different from the fix for 2.1. I already resolved the merge conflicts.

bitprophet added a commit that referenced this pull request Sep 12, 2017

bitprophet added a commit that referenced this pull request Sep 12, 2017

@bitprophet bitprophet merged commit a859dda into paramiko:2.2 Sep 12, 2017

2 of 3 checks passed

codecov/patch 71.42% of diff hit (target 75.24%)
Details
codecov/project 75.25% (+<.01%) compared to f58b5b8
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bitprophet added a commit that referenced this pull request Sep 12, 2017

@bitprophet

This comment has been minimized.

Member

bitprophet commented Sep 12, 2017

We did have a lot of changes across 2.0->2.2 and yea there were merge conflicts. When I used these PRs and then merged-up from the previous branches, the conflicts were gone (besides my own introduced in the changelog.) Thanks!

I grabbed the pre-2.0 ones too since it wasn't that much more work, though I'm still increasingly less likely to bother with those going forwards :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment