SSH: Expire hosts in known_hosts

author: Jan Cholasta <jcholast@redhat.com> 2012-09-25 04:29:29 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2012-10-05 10:51:55 +0200
commit: 3882325ff60f89d0c312e9519bdfd1351978fd73 (patch)
tree: 1eb9a5b850ced04673a69c53f46d40d51384caa4 /src/responder
parent: 2d6836a90bd326391782a5753f70e8ba666b5def (diff)
download: sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.tar.gz
sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.tar.xz
sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.zip
3 files changed, 21 insertions, 1 deletions
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index a423231b5..fe01f81f1 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -141,6 +141,17 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
         return ret;
     }
 
+    /* Get ssh_known_hosts_timeout option */
+    ret = confdb_get_int(ssh_ctx->rctx->cdb,
+                         CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_KNOWN_HOSTS_TIMEOUT,
+                         CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT,
+                         &ssh_ctx->known_hosts_timeout);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Error reading from confdb (%d) [%s]\n",
+              ret, strerror(ret)));
+        return ret;
+    }
+
     DEBUG(SSSDBG_TRACE_FUNC, ("SSH Initialization complete\n"));
 
     return EOK;
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index a47894bfe..ec988f09a 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -554,6 +554,7 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
     struct sss_domain_info *dom = cctx->rctx->domains;
     struct ssh_ctx *ssh_ctx = (struct ssh_ctx *)cctx->rctx->pvt_ctx;
     struct sysdb_ctx *sysdb;
+    time_t now = time(NULL);
     struct ldb_message **hosts;
     size_t num_hosts, i;
     struct sss_ssh_ent *ent;
@@ -567,6 +568,13 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
         return ENOMEM;
     }
 
+    ret = sysdb_update_ssh_known_host_expire(cmd_ctx->domain->sysdb,
+                                             cmd_ctx->name, now,
+                                             ssh_ctx->known_hosts_timeout);
+    if (ret != EOK) {
+        goto done;
+    }
+
     /* write known_hosts file */
     filename = talloc_strdup(tmp_ctx, SSS_SSH_KNOWN_HOSTS_TEMP_TMPL);
     if (!filename) {
@@ -592,7 +600,7 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
             goto done;
         }
 
-        ret = sysdb_get_ssh_known_hosts(tmp_ctx, sysdb, attrs,
+        ret = sysdb_get_ssh_known_hosts(tmp_ctx, sysdb, now, attrs,
                                         &hosts, &num_hosts);
         if (ret != EOK) {
             if (ret != ENOENT) {
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
index e228af4ad..4b13ca1df 100644
--- a/src/responder/ssh/sshsrv_private.h
+++ b/src/responder/ssh/sshsrv_private.h
@@ -33,6 +33,7 @@ struct ssh_ctx {
     struct resp_ctx *rctx;
 
     bool hash_known_hosts;
+    int known_hosts_timeout;
 };
 
 struct ssh_cmd_ctx {
author	Jan Cholasta <jcholast@redhat.com>	2012-09-25 04:29:29 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2012-10-05 10:51:55 +0200
commit	3882325ff60f89d0c312e9519bdfd1351978fd73 (patch)
tree	1eb9a5b850ced04673a69c53f46d40d51384caa4 /src/responder
parent	2d6836a90bd326391782a5753f70e8ba666b5def (diff)
download	sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.tar.gz sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.tar.xz sssd-3882325ff60f89d0c312e9519bdfd1351978fd73.zip