diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2019-01-24 17:00:29 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-01-25 06:32:14 +1100 |
| commit | 05b9a466700b44d49492edc2aa415fc2e8913dfe (patch) | |
| tree | 44dfce8326dc37eb98d29cacba4916e54f4bd15a | |
| parent | bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb (diff) | |
upstream: Accept the host key fingerprint as a synonym for "yes"
when accepting an unknown host key. This allows you to paste a fingerprint
obtained out of band into the yes/no prompt and have the client do the
comparison for you. ok markus@ djm@
OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767
| -rw-r--r-- | sshconnect.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/sshconnect.c b/sshconnect.c index 1a5f6a4c8..955671b4e 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.311 2019/01/19 21:36:38 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.312 2019/01/24 17:00:29 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -563,22 +563,24 @@ ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs, | |||
| 563 | 563 | ||
| 564 | /* defaults to 'no' */ | 564 | /* defaults to 'no' */ |
| 565 | static int | 565 | static int |
| 566 | confirm(const char *prompt) | 566 | confirm(const char *prompt, const char *fingerprint) |
| 567 | { | 567 | { |
| 568 | const char *msg, *again = "Please type 'yes' or 'no': "; | 568 | const char *msg, *again = "Please type 'yes' or 'no': "; |
| 569 | const char *again_fp = "Please type 'yes', 'no' or the fingerprint: "; | ||
| 569 | char *p; | 570 | char *p; |
| 570 | int ret = -1; | 571 | int ret = -1; |
| 571 | 572 | ||
| 572 | if (options.batch_mode) | 573 | if (options.batch_mode) |
| 573 | return 0; | 574 | return 0; |
| 574 | for (msg = prompt;;msg = again) { | 575 | for (msg = prompt;;msg = fingerprint ? again_fp : again) { |
| 575 | p = read_passphrase(msg, RP_ECHO); | 576 | p = read_passphrase(msg, RP_ECHO); |
| 576 | if (p == NULL) | 577 | if (p == NULL) |
| 577 | return 0; | 578 | return 0; |
| 578 | p[strcspn(p, "\n")] = '\0'; | 579 | p[strcspn(p, "\n")] = '\0'; |
| 579 | if (p[0] == '\0' || strcasecmp(p, "no") == 0) | 580 | if (p[0] == '\0' || strcasecmp(p, "no") == 0) |
| 580 | ret = 0; | 581 | ret = 0; |
| 581 | else if (strcasecmp(p, "yes") == 0) | 582 | else if (strcasecmp(p, "yes") == 0 || (fingerprint != NULL && |
| 583 | strcasecmp(p, fingerprint) == 0)) | ||
| 582 | ret = 1; | 584 | ret = 1; |
| 583 | free(p); | 585 | free(p); |
| 584 | if (ret != -1) | 586 | if (ret != -1) |
| @@ -706,7 +708,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 706 | char msg[1024]; | 708 | char msg[1024]; |
| 707 | const char *type; | 709 | const char *type; |
| 708 | const struct hostkey_entry *host_found, *ip_found; | 710 | const struct hostkey_entry *host_found, *ip_found; |
| 709 | int len, cancelled_forwarding = 0; | 711 | int len, cancelled_forwarding = 0, confirmed; |
| 710 | int local = sockaddr_is_local(hostaddr); | 712 | int local = sockaddr_is_local(hostaddr); |
| 711 | int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; | 713 | int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; |
| 712 | int hostkey_trusted = 0; /* Known or explicitly accepted by user */ | 714 | int hostkey_trusted = 0; /* Known or explicitly accepted by user */ |
| @@ -881,14 +883,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 881 | "established%s\n" | 883 | "established%s\n" |
| 882 | "%s key fingerprint is %s.%s%s\n%s" | 884 | "%s key fingerprint is %s.%s%s\n%s" |
| 883 | "Are you sure you want to continue connecting " | 885 | "Are you sure you want to continue connecting " |
| 884 | "(yes/no)? ", | 886 | "(yes/no/[fingerprint])? ", |
| 885 | host, ip, msg1, type, fp, | 887 | host, ip, msg1, type, fp, |
| 886 | options.visual_host_key ? "\n" : "", | 888 | options.visual_host_key ? "\n" : "", |
| 887 | options.visual_host_key ? ra : "", | 889 | options.visual_host_key ? ra : "", |
| 888 | msg2); | 890 | msg2); |
| 889 | free(ra); | 891 | free(ra); |
| 892 | confirmed = confirm(msg, fp); | ||
| 890 | free(fp); | 893 | free(fp); |
| 891 | if (!confirm(msg)) | 894 | if (!confirmed) |
| 892 | goto fail; | 895 | goto fail; |
| 893 | hostkey_trusted = 1; /* user explicitly confirmed */ | 896 | hostkey_trusted = 1; /* user explicitly confirmed */ |
| 894 | } | 897 | } |
| @@ -1082,7 +1085,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 1082 | SSH_STRICT_HOSTKEY_ASK) { | 1085 | SSH_STRICT_HOSTKEY_ASK) { |
| 1083 | strlcat(msg, "\nAre you sure you want " | 1086 | strlcat(msg, "\nAre you sure you want " |
| 1084 | "to continue connecting (yes/no)? ", sizeof(msg)); | 1087 | "to continue connecting (yes/no)? ", sizeof(msg)); |
| 1085 | if (!confirm(msg)) | 1088 | if (!confirm(msg, NULL)) |
| 1086 | goto fail; | 1089 | goto fail; |
| 1087 | } else if (options.strict_host_key_checking != | 1090 | } else if (options.strict_host_key_checking != |
| 1088 | SSH_STRICT_HOSTKEY_OFF) { | 1091 | SSH_STRICT_HOSTKEY_OFF) { |