nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 03:22:48 -05:00
Code Issues Projects Releases Wiki Activity

Centralise most details of host-key prompting.

Browse Source 
The text of the host key warnings was replicated in three places: the
Windows rc file, the GTK dialog setup function, and the console.c
shared between both platforms' CLI tools. Now it lives in just one
place, namely ssh/common.c where the rest of the centralised host-key
checking is done, so it'll be easier to adjust the wording in future.

This comes with some extra automation. Paragraph wrapping is no longer
done by hand in any version of these prompts. (Previously we let GTK
do the wrapping on GTK, but on Windows the resource file contained a
bunch of pre-wrapped LTEXT lines, and console.c had pre-wrapped
terminal messages.) And the dialog heights in Windows are determined
automatically based on the amount of stuff in the window.

The main idea of all this is that it'll be easier to set up more
elaborate kinds of host key prompt that deal with certificates (if,
e.g., a server sends us a certified host key which we don't trust the
CA for). But there are side benefits of this refactoring too: each
tool now reliably inserts its own appname in the prompts, and also, on
Windows the entire prompt text is copy-pastable.

Details of implementation: there's a new type SeatDialogText which
holds a set of (type, string) pairs describing the contents of a
prompt. Type codes distinguish ordinary text paragraphs, paragraphs to
be displayed prominently (like key fingerprints), the extra-bold scary
title at the top of the 'host key changed' version of the dialog, and
the various information that lives in the subsidiary 'more info' box.
ssh/common.c constructs this, and passes it to the Seat to present the
actual prompt.

In order to deal with the different UI for answering the prompt, I've
added an extra Seat method 'prompt_descriptions' which returns some
snippets of text to interpolate into the messages. ssh/common.c calls
that while it's still constructing the text, and incorporates the
resulting snippets into the SeatDialogText.

For the moment, this refactoring only affects the host key prompts.
The warnings about outmoded crypto are still done the old-fashioned
way; they probably ought to be similarly refactored to use this new
SeatDialogText system, but it's not immediately critical for the
purpose I have right now.
This commit is contained in:
Simon Tatham
2022-07-07 17:25:15 +01:00
parent 46332db26e
commit f1c8298000
25 changed files with 644 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
ssh/common.c
View File

@ -924,10 +924,104 @@ SeatPromptResult verify_ssh_host_key(
* The key is either missing from the cache, or does not match.
* Either way, fall back to an interactive prompt from the Seat.
*/
bool mismatch = (storage_status != 1);
return seat_confirm_ssh_host_key(
iseat, host, port, keytype, keystr, keydisp, fingerprints, mismatch,
callback, ctx);
SeatDialogText *text = seat_dialog_text_new();
const SeatDialogPromptDescriptions *pds =
seat_prompt_descriptions(iseat.seat);
FingerprintType fptype_default =
ssh2_pick_default_fingerprint(fingerprints);
seat_dialog_text_append(
text, SDT_TITLE, "%s Security Alert", appname);
if (storage_status == 1) {
seat_dialog_text_append(
text, SDT_PARA, "The host key is not cached for this server:");
seat_dialog_text_append(
text, SDT_DISPLAY, "%s (port %d)", host, port);
seat_dialog_text_append(
text, SDT_PARA, "You have no guarantee that the server is the "
"computer you think it is.");
seat_dialog_text_append(
text, SDT_PARA, "The server's %s key fingerprint is:", keytype);
seat_dialog_text_append(
text, SDT_DISPLAY, "%s", fingerprints[fptype_default]);
} else {
seat_dialog_text_append(
text, SDT_SCARY_HEADING, "WARNING - POTENTIAL SECURITY BREACH!");
seat_dialog_text_append(
text, SDT_PARA, "The host key does not match the one %s has "
"cached for this server:", appname);
seat_dialog_text_append(
text, SDT_DISPLAY, "%s (port %d)", host, port);
seat_dialog_text_append(
text, SDT_PARA, "This means that either the server administrator "
"has changed the host key, or you have actually connected to "
"another computer pretending to be the server.");
seat_dialog_text_append(
text, SDT_PARA, "The new %s key fingerprint is:", keytype);
seat_dialog_text_append(
text, SDT_DISPLAY, "%s", fingerprints[fptype_default]);
}
/* The above text is printed even in batch mode. Here's where we stop if
* we can't present interactive prompts. */
seat_dialog_text_append(
text, SDT_BATCH_ABORT, "Connection abandoned.");
HelpCtx helpctx;
if (storage_status == 1) {
seat_dialog_text_append(
text, SDT_PARA, "If you trust this host, %s to add the key to "
"%s's cache and carry on connecting.",
pds->hk_accept_action, appname);
seat_dialog_text_append(
text, SDT_PARA, "If you want to carry on connecting just once, "
"without adding the key to the cache, %s.",
pds->hk_connect_once_action);
seat_dialog_text_append(
text, SDT_PARA, "If you do not trust this host, %s to abandon the "
"connection.", pds->hk_cancel_action);
seat_dialog_text_append(
text, SDT_PROMPT, "Store key in cache?");
helpctx = HELPCTX(errors_hostkey_absent);
} else {
seat_dialog_text_append(
text, SDT_PARA, "If you were expecting this change and trust the "
"new key, %s to update %s's cache and carry on connecting.",
pds->hk_accept_action, appname);
seat_dialog_text_append(
text, SDT_PARA, "If you want to carry on connecting but without "
"updating the cache, %s.", pds->hk_connect_once_action);
seat_dialog_text_append(
text, SDT_PARA, "If you want to abandon the connection "
"completely, %s to cancel. %s is the ONLY guaranteed safe choice.",
pds->hk_cancel_action, pds->hk_cancel_action_Participle);
seat_dialog_text_append(
text, SDT_PROMPT, "Update cached key?");
helpctx = HELPCTX(errors_hostkey_changed);
}
seat_dialog_text_append(text, SDT_MORE_INFO_KEY,
"Full text of host's public key");
seat_dialog_text_append(text, SDT_MORE_INFO_VALUE_BLOB, "%s", keydisp);
if (fingerprints[SSH_FPTYPE_SHA256]) {
seat_dialog_text_append(text, SDT_MORE_INFO_KEY, "SHA256 fingerprint");
seat_dialog_text_append(text, SDT_MORE_INFO_VALUE_SHORT, "%s",
fingerprints[SSH_FPTYPE_SHA256]);
}
if (fingerprints[SSH_FPTYPE_MD5]) {
seat_dialog_text_append(text, SDT_MORE_INFO_KEY, "MD5 fingerprint");
seat_dialog_text_append(text, SDT_MORE_INFO_VALUE_SHORT, "%s",
fingerprints[SSH_FPTYPE_MD5]);
}
SeatPromptResult toret = seat_confirm_ssh_host_key(
iseat, host, port, keytype, keystr, text, helpctx, callback, ctx);
seat_dialog_text_free(text);
return toret;
}
/* ----------------------------------------------------------------------

1
ssh/server.c
View File

@ -122,6 +122,7 @@ static const SeatVtable server_seat_vt = {
.confirm_ssh_host_key = nullseat_confirm_ssh_host_key,
.confirm_weak_crypto_primitive = server_confirm_weak_crypto_primitive,
.confirm_weak_cached_hostkey = server_confirm_weak_cached_hostkey,
.prompt_descriptions = nullseat_prompt_descriptions,
.is_utf8 = nullseat_is_never_utf8,
.echoedit_update = nullseat_echoedit_update,
.get_x_display = nullseat_get_x_display,

1
ssh/sesschan.c
View File

@ -199,6 +199,7 @@ static const SeatVtable sesschan_seat_vt = {
.confirm_ssh_host_key = nullseat_confirm_ssh_host_key,
.confirm_weak_crypto_primitive = nullseat_confirm_weak_crypto_primitive,
.confirm_weak_cached_hostkey = nullseat_confirm_weak_cached_hostkey,
.prompt_descriptions = nullseat_prompt_descriptions,
.is_utf8 = nullseat_is_never_utf8,
.echoedit_update = nullseat_echoedit_update,
.get_x_display = nullseat_get_x_display,