The result of calling ssh_get_publickey_hash() is never used in the
code, simply being freed on all exit paths. It appears this was
copied from the libssh docs example code, where the fingerprint
was indeed printed on the console.
The ssh_session_is_known_server() call will validate against any
fingerprint stored in the $HOME/.ssh/known_hosts file. The hashes
in this file will use the algorithm configured for the openssh
client, which will usually be SHA256 in modern OS.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
plugins/ssh/ssh.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/plugins/ssh/ssh.c b/plugins/ssh/ssh.c
index 994e9834..6d18f18d 100644
--- a/plugins/ssh/ssh.c
+++ b/plugins/ssh/ssh.c
@@ -228,14 +228,6 @@ do_verify_remote_host (struct ssh_handle *h)
nbdkit_error ("could not get server public key");
return -1;
}
- rc = ssh_get_publickey_hash (srv_pubkey,
- SSH_PUBLICKEY_HASH_SHA1,
- &hash, &hlen);
- ssh_key_free (srv_pubkey);
- if (rc < 0) {
- nbdkit_error ("could not get server public key SHA1 hash");
- return -1;
- }
state = ssh_session_is_known_server (h->session);
switch (state) {
@@ -245,13 +237,11 @@ do_verify_remote_host (struct ssh_handle *h)
case SSH_KNOWN_HOSTS_CHANGED:
nbdkit_error ("host key for server changed");
- ssh_clean_pubkey_hash (&hash);
return -1;
case SSH_KNOWN_HOSTS_OTHER:
nbdkit_error ("host key for server was not found "
"but another type of key exists");
- ssh_clean_pubkey_hash (&hash);
return -1;
case SSH_KNOWN_HOSTS_NOT_FOUND:
@@ -259,22 +249,18 @@ do_verify_remote_host (struct ssh_handle *h)
* host key is set up before using nbdkit so we error out here.
*/
nbdkit_error ("could not find known_hosts file");
- ssh_clean_pubkey_hash (&hash);
return -1;
case SSH_KNOWN_HOSTS_UNKNOWN:
nbdkit_error ("host key is unknown, you must use ssh first "
"and accept the host key");
- ssh_clean_pubkey_hash (&hash);
return -1;
case SSH_KNOWN_HOSTS_ERROR:
nbdkit_error ("known hosts error: %s", ssh_get_error (h->session));
- ssh_clean_pubkey_hash (&hash);
return -1;
}
- ssh_clean_pubkey_hash (&hash);
return 0;
}
--
2.31.1