guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: lftp: Don't save unknown SSH host fingerprints to known_host


From: Mark H. Weaver
Subject: 01/01: gnu: lftp: Don't save unknown SSH host fingerprints to known_hosts by default.
Date: Thu, 05 Mar 2015 17:16:28 +0000

mhw pushed a commit to branch master
in repository guix.

commit 87d79282941de06a9b0c464df87c8d0456c145ce
Author: Mark H Weaver <address@hidden>
Date:   Thu Mar 5 12:14:43 2015 -0500

    gnu: lftp: Don't save unknown SSH host fingerprints to known_hosts by 
default.
    
    * gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch: New 
file.
    * gnu-system.am (dist_patch_DATA): Add it.
    * gnu/packages/ftp.scm (lftp): Add patch.
---
 gnu-system.am                                      |    1 +
 gnu/packages/ftp.scm                               |    6 +-
 .../lftp-dont-save-unknown-host-fingerprint.patch  |   81 ++++++++++++++++++++
 3 files changed, 87 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index 21930cd..6129226 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -442,6 +442,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/irrlicht-mesa-10.patch                  \
   gnu/packages/patches/jbig2dec-ignore-testtest.patch          \
   gnu/packages/patches/kmod-module-directory.patch             \
+  gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch \
   gnu/packages/patches/libarchive-CVE-2013-0211.patch          \
   gnu/packages/patches/libarchive-fix-lzo-test-case.patch      \
   gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
diff --git a/gnu/packages/ftp.scm b/gnu/packages/ftp.scm
index f002122..22ea1af 100644
--- a/gnu/packages/ftp.scm
+++ b/gnu/packages/ftp.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 Ludovic Courtès <address@hidden>
 ;;; Copyright © 2015 Andreas Enge <address@hidden>
+;;; Copyright © 2015 Mark H Weaver <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,7 +40,10 @@
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1grmp8zg7cjgjinz66mrh53whigkqzl90nlxj05hapnhk3ns3vni"))))
+                "1grmp8zg7cjgjinz66mrh53whigkqzl90nlxj05hapnhk3ns3vni"))
+              (patches
+               (list (search-patch
+                      "lftp-dont-save-unknown-host-fingerprint.patch")))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch 
b/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch
new file mode 100644
index 0000000..e170d11
--- /dev/null
+++ b/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch
@@ -0,0 +1,81 @@
+Fixes "saves unknown host's fingerprint in known_hosts without any prompt".
+See:
+
+  https://github.com/lavv17/lftp/issues/116
+  https://bugs.debian.org/774769
+
+From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001
+From: "Alexander V. Lukyanov" <address@hidden>
+Date: Tue, 13 Jan 2015 15:33:54 +0300
+Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm
+
+New host keys are now not confirmed by default, this should improve security.
+Suggested by Marcin Szewczyk <address@hidden>
+---
+ doc/lftp.1        | 8 ++++++++
+ src/SSH_Access.cc | 5 +++--
+ src/resource.cc   | 2 ++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/doc/lftp.1 b/doc/lftp.1
+index cabc1be..ed6c388 100644
+--- a/doc/lftp.1
++++ b/doc/lftp.1
+@@ -1384,6 +1384,10 @@ address family in dns:order.
+ .BR file:charset \ (string)
+ local character set. It is set from current locale initially.
+ .TP
++.BR fish:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR fish:charset \ (string)
+ the character set used by fish server in requests, replies and file listings.
+ Default is empty which means the same as local.
+@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to.
+ save pget transfer status this often. Set to `never' to disable saving of the 
status file.
+ The status is saved to a file with suffix \fI.lftp-pget-status\fP.
+ .TP
++.BR sftp:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR sftp:charset \ (string)
+ the character set used by SFTP server in file names and file listings.
+ Default is empty which means the same as local. This setting is only used
+diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
+index 706fc6a..17c716d 100644
+--- a/src/SSH_Access.cc
++++ b/src/SSH_Access.cc
+@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage()
+       }
+       if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
+       {
+-       pty_recv_buf->Put("yes\n");
+-       pty_send_buf->Put("yes\n");
++       const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
++       pty_recv_buf->Put(answer);
++       pty_send_buf->Put(answer);
+        return m;
+       }
+       if(!received_greeting && recv_buf->Size()>0)
+diff --git a/src/resource.cc b/src/resource.cc
+index 91b2e60..3a5e8b9 100644
+--- a/src/resource.cc
++++ b/src/resource.cc
+@@ -339,6 +339,7 @@ static ResType lftp_vars[] = {
+    {"mirror:no-empty-dirs",    "no",    
ResMgr::BoolValidate,ResMgr::NoClosure},
+    {"mirror:require-source",   "no",    
ResMgr::BoolValidate,ResMgr::NoClosure},
+ 
++   {"sftp:auto-confirm",       "no",    ResMgr::BoolValidate,0},
+    {"sftp:max-packets-in-flight","16",          ResMgr::UNumberValidate,0},
+    {"sftp:protocol-version",   "6",     ResMgr::UNumberValidate,0},
+    {"sftp:size-read",          "32k",   ResMgr::UNumberValidate,0},
+@@ -367,6 +368,7 @@ static ResType lftp_vars[] = {
+    {"dns:strict-dnssec",       "no",    ResMgr::BoolValidate,0},
+ #endif
+ 
++   {"fish:auto-confirm",       "no",    ResMgr::BoolValidate,0},
+    {"fish:shell",              "/bin/sh",0,0},
+    {"fish:connect-program",    "ssh -a -x",0,0},
+    {"fish:charset",            "",      ResMgr::CharsetValidate,0},



reply via email to

[Prev in Thread] Current Thread [Next in Thread]