Github user necouchman commented on a diff in the pull request:
https://github.com/apache/guacamole-server/pull/164#discussion_r197887124
--- Diff: src/common-ssh/key.c ---
@@ -245,3 +246,86 @@ int guac_common_ssh_key_sign(guac_common_ssh_key* key,
const char* data,
}
+int guac_common_ssh_verify_host_key(LIBSSH2_SESSION* session, guac_client*
client,
+ const char* host_key, const char* hostname, int port, const char*
fingerprint,
+ const size_t fp_len) {
+
+ LIBSSH2_KNOWNHOSTS* ssh_known_hosts = libssh2_knownhost_init(session);
+ int known_hosts = 0;
+
+ /* Add host key provided from settings */
+ if (host_key && strcmp(host_key, "") != 0) {
+
+ known_hosts = libssh2_knownhost_readline(ssh_known_hosts,
host_key, strlen(host_key),
+ LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+ /* readline function returns 0 on success, so we increment to
indicate a valid entry */
+ if (known_hosts == 0)
+ known_hosts++;
+
+ }
+
+ /* Otherwise, we look for a ssh_known_hosts file within GUACAMOLE_HOME
and read that in. */
+ else {
+
+ const char *guac_known_hosts = "/etc/guacamole/ssh_known_hosts";
+ if (access(guac_known_hosts, F_OK) != -1)
+ known_hosts = libssh2_knownhost_readfile(ssh_known_hosts,
guac_known_hosts, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+ }
+
+ /* If there's an error provided, abort connection and return that. */
+ if (known_hosts < 0) {
+
+ char* errmsg;
+ int errval = libssh2_session_last_error(session, &errmsg, NULL, 0);
+ guac_client_log(client, GUAC_LOG_ERROR,
+ "Error %d trying to load SSH host keys: %s", errval, errmsg);
+
+ libssh2_knownhost_free(ssh_known_hosts);
+ return known_hosts;
+
+ }
+
+ /* No host keys were loaded, so we bail out checking and continue the
connection. */
+ else if (known_hosts == 0) {
+ guac_client_log(client, GUAC_LOG_WARNING,
+ "No known host keys provided, host identity will not be
verified.");
+ libssh2_knownhost_free(ssh_known_hosts);
+ return known_hosts;
+ }
+
+
+ /* Check fingerprint against known hosts */
--- End diff --
Changed the nomenclature, here.
---
