upstream: It really looks like pledge "stdio dns" is possible

earlier. Discussed with mestre

OpenBSD-Commit-ID: 610873de63a593e0ac7bbbcb7a0f2894d36f4c01

diff --git a/ssh-keysign.c b/ssh-keysign.c
index 8b3c9a2964425109e5df1f22b218913a489e0919..6e118592175e8488fbd120b69a04b4a3497df235 100644 (file)
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.68 2021/11/10 06:25:08 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.69 2021/11/13 17:26:13 deraadt Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -215,6 +215,9 @@ main(int argc, char **argv)
                fatal("ssh-keysign not enabled in %s",
                    _PATH_HOST_CONFIG_FILE);
 
+       if (pledge("stdio dns", NULL) != 0)
+               fatal("%s: pledge: %s", __progname, strerror(errno));
+
        for (i = found = 0; i < NUM_KEYTYPES; i++) {
                if (key_fd[i] != -1)
                        found = 1;
@@ -240,9 +243,6 @@ main(int argc, char **argv)
        if (!found)
                fatal("no hostkey found");
 
-       if (pledge("stdio dns", NULL) != 0)
-               fatal("%s: pledge: %s", __progname, strerror(errno));
-
        if ((b = sshbuf_new()) == NULL)
                fatal("%s: sshbuf_new failed", __progname);
        if (ssh_msg_recv(STDIN_FILENO, b) < 0)