gnu: lftp: Don't save unknown SSH host fingerprints to known_hosts by default.
* gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/ftp.scm (lftp): Add patch.
This commit is contained in:
parent
b3886e0c53
commit
87d7928294
|
@ -442,6 +442,7 @@ dist_patch_DATA = \
|
||||||
gnu/packages/patches/irrlicht-mesa-10.patch \
|
gnu/packages/patches/irrlicht-mesa-10.patch \
|
||||||
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
||||||
gnu/packages/patches/kmod-module-directory.patch \
|
gnu/packages/patches/kmod-module-directory.patch \
|
||||||
|
gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch \
|
||||||
gnu/packages/patches/libarchive-CVE-2013-0211.patch \
|
gnu/packages/patches/libarchive-CVE-2013-0211.patch \
|
||||||
gnu/packages/patches/libarchive-fix-lzo-test-case.patch \
|
gnu/packages/patches/libarchive-fix-lzo-test-case.patch \
|
||||||
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
|
gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
;;; GNU Guix --- Functional package management for GNU
|
;;; GNU Guix --- Functional package management for GNU
|
||||||
;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org>
|
;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org>
|
||||||
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
|
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
|
||||||
|
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -39,7 +40,10 @@
|
||||||
version ".tar.xz"))
|
version ".tar.xz"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1grmp8zg7cjgjinz66mrh53whigkqzl90nlxj05hapnhk3ns3vni"))))
|
"1grmp8zg7cjgjinz66mrh53whigkqzl90nlxj05hapnhk3ns3vni"))
|
||||||
|
(patches
|
||||||
|
(list (search-patch
|
||||||
|
"lftp-dont-save-unknown-host-fingerprint.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(native-inputs
|
(native-inputs
|
||||||
`(("pkg-config" ,pkg-config)))
|
`(("pkg-config" ,pkg-config)))
|
||||||
|
|
|
@ -0,0 +1,81 @@
|
||||||
|
Fixes "saves unknown host's fingerprint in known_hosts without any prompt".
|
||||||
|
See:
|
||||||
|
|
||||||
|
https://github.com/lavv17/lftp/issues/116
|
||||||
|
https://bugs.debian.org/774769
|
||||||
|
|
||||||
|
From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
|
||||||
|
Date: Tue, 13 Jan 2015 15:33:54 +0300
|
||||||
|
Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm
|
||||||
|
|
||||||
|
New host keys are now not confirmed by default, this should improve security.
|
||||||
|
Suggested by Marcin Szewczyk <Marcin.Szewczyk@wodny.org>
|
||||||
|
---
|
||||||
|
doc/lftp.1 | 8 ++++++++
|
||||||
|
src/SSH_Access.cc | 5 +++--
|
||||||
|
src/resource.cc | 2 ++
|
||||||
|
3 files changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/lftp.1 b/doc/lftp.1
|
||||||
|
index cabc1be..ed6c388 100644
|
||||||
|
--- a/doc/lftp.1
|
||||||
|
+++ b/doc/lftp.1
|
||||||
|
@@ -1384,6 +1384,10 @@ address family in dns:order.
|
||||||
|
.BR file:charset \ (string)
|
||||||
|
local character set. It is set from current locale initially.
|
||||||
|
.TP
|
||||||
|
+.BR fish:auto-confirm \ (boolean)
|
||||||
|
+when true, lftp answers ``yes'' to all ssh questions, in particular to the
|
||||||
|
+question about a new host key. Otherwise it answers ``no''.
|
||||||
|
+.TP
|
||||||
|
.BR fish:charset \ (string)
|
||||||
|
the character set used by fish server in requests, replies and file listings.
|
||||||
|
Default is empty which means the same as local.
|
||||||
|
@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to.
|
||||||
|
save pget transfer status this often. Set to `never' to disable saving of the status file.
|
||||||
|
The status is saved to a file with suffix \fI.lftp-pget-status\fP.
|
||||||
|
.TP
|
||||||
|
+.BR sftp:auto-confirm \ (boolean)
|
||||||
|
+when true, lftp answers ``yes'' to all ssh questions, in particular to the
|
||||||
|
+question about a new host key. Otherwise it answers ``no''.
|
||||||
|
+.TP
|
||||||
|
.BR sftp:charset \ (string)
|
||||||
|
the character set used by SFTP server in file names and file listings.
|
||||||
|
Default is empty which means the same as local. This setting is only used
|
||||||
|
diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
|
||||||
|
index 706fc6a..17c716d 100644
|
||||||
|
--- a/src/SSH_Access.cc
|
||||||
|
+++ b/src/SSH_Access.cc
|
||||||
|
@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage()
|
||||||
|
}
|
||||||
|
if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
|
||||||
|
{
|
||||||
|
- pty_recv_buf->Put("yes\n");
|
||||||
|
- pty_send_buf->Put("yes\n");
|
||||||
|
+ const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
|
||||||
|
+ pty_recv_buf->Put(answer);
|
||||||
|
+ pty_send_buf->Put(answer);
|
||||||
|
return m;
|
||||||
|
}
|
||||||
|
if(!received_greeting && recv_buf->Size()>0)
|
||||||
|
diff --git a/src/resource.cc b/src/resource.cc
|
||||||
|
index 91b2e60..3a5e8b9 100644
|
||||||
|
--- a/src/resource.cc
|
||||||
|
+++ b/src/resource.cc
|
||||||
|
@@ -339,6 +339,7 @@ static ResType lftp_vars[] = {
|
||||||
|
{"mirror:no-empty-dirs", "no", ResMgr::BoolValidate,ResMgr::NoClosure},
|
||||||
|
{"mirror:require-source", "no", ResMgr::BoolValidate,ResMgr::NoClosure},
|
||||||
|
|
||||||
|
+ {"sftp:auto-confirm", "no", ResMgr::BoolValidate,0},
|
||||||
|
{"sftp:max-packets-in-flight","16", ResMgr::UNumberValidate,0},
|
||||||
|
{"sftp:protocol-version", "6", ResMgr::UNumberValidate,0},
|
||||||
|
{"sftp:size-read", "32k", ResMgr::UNumberValidate,0},
|
||||||
|
@@ -367,6 +368,7 @@ static ResType lftp_vars[] = {
|
||||||
|
{"dns:strict-dnssec", "no", ResMgr::BoolValidate,0},
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ {"fish:auto-confirm", "no", ResMgr::BoolValidate,0},
|
||||||
|
{"fish:shell", "/bin/sh",0,0},
|
||||||
|
{"fish:connect-program", "ssh -a -x",0,0},
|
||||||
|
{"fish:charset", "", ResMgr::CharsetValidate,0},
|
Loading…
Reference in New Issue