From 3882325ff60f89d0c312e9519bdfd1351978fd73 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 25 Sep 2012 04:29:29 -0400
Subject: SSH: Expire hosts in known_hosts

---
 src/responder/ssh/sshsrv.c         | 11 +++++++++++
 src/responder/ssh/sshsrv_cmd.c     | 10 +++++++++-
 src/responder/ssh/sshsrv_private.h |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

(limited to 'src/responder/ssh')

diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index a423231b..fe01f81f 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -141,6 +141,17 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
         return ret;
     }
 
+    /* Get ssh_known_hosts_timeout option */
+    ret = confdb_get_int(ssh_ctx->rctx->cdb,
+                         CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_KNOWN_HOSTS_TIMEOUT,
+                         CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT,
+                         &ssh_ctx->known_hosts_timeout);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Error reading from confdb (%d) [%s]\n",
+              ret, strerror(ret)));
+        return ret;
+    }
+
     DEBUG(SSSDBG_TRACE_FUNC, ("SSH Initialization complete\n"));
 
     return EOK;
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index a47894bf..ec988f09 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -554,6 +554,7 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
     struct sss_domain_info *dom = cctx->rctx->domains;
     struct ssh_ctx *ssh_ctx = (struct ssh_ctx *)cctx->rctx->pvt_ctx;
     struct sysdb_ctx *sysdb;
+    time_t now = time(NULL);
     struct ldb_message **hosts;
     size_t num_hosts, i;
     struct sss_ssh_ent *ent;
@@ -567,6 +568,13 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
         return ENOMEM;
     }
 
+    ret = sysdb_update_ssh_known_host_expire(cmd_ctx->domain->sysdb,
+                                             cmd_ctx->name, now,
+                                             ssh_ctx->known_hosts_timeout);
+    if (ret != EOK) {
+        goto done;
+    }
+
     /* write known_hosts file */
     filename = talloc_strdup(tmp_ctx, SSS_SSH_KNOWN_HOSTS_TEMP_TMPL);
     if (!filename) {
@@ -592,7 +600,7 @@ ssh_host_pubkeys_update_known_hosts(struct ssh_cmd_ctx *cmd_ctx)
             goto done;
         }
 
-        ret = sysdb_get_ssh_known_hosts(tmp_ctx, sysdb, attrs,
+        ret = sysdb_get_ssh_known_hosts(tmp_ctx, sysdb, now, attrs,
                                         &hosts, &num_hosts);
         if (ret != EOK) {
             if (ret != ENOENT) {
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
index e228af4a..4b13ca1d 100644
--- a/src/responder/ssh/sshsrv_private.h
+++ b/src/responder/ssh/sshsrv_private.h
@@ -33,6 +33,7 @@ struct ssh_ctx {
     struct resp_ctx *rctx;
 
     bool hash_known_hosts;
+    int known_hosts_timeout;
 };
 
 struct ssh_cmd_ctx {
-- 
cgit