summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2019-01-24 17:00:29 +0000
committerDarren Tucker <dtucker@dtucker.net>2019-01-25 06:32:14 +1100
commit05b9a466700b44d49492edc2aa415fc2e8913dfe (patch)
tree44dfce8326dc37eb98d29cacba4916e54f4bd15a
parentbdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb (diff)
upstream: Accept the host key fingerprint as a synonym for "yes"
when accepting an unknown host key. This allows you to paste a fingerprint obtained out of band into the yes/no prompt and have the client do the comparison for you. ok markus@ djm@ OpenBSD-Commit-ID: 3c47d10b9f43d3d345e044fd9ec09709583a2767
-rw-r--r--sshconnect.c19
1 files changed, 11 insertions, 8 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 1a5f6a4c8..955671b4e 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.311 2019/01/19 21:36:38 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.312 2019/01/24 17:00:29 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -563,22 +563,24 @@ ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs,
563 563
564/* defaults to 'no' */ 564/* defaults to 'no' */
565static int 565static int
566confirm(const char *prompt) 566confirm(const char *prompt, const char *fingerprint)
567{ 567{
568 const char *msg, *again = "Please type 'yes' or 'no': "; 568 const char *msg, *again = "Please type 'yes' or 'no': ";
569 const char *again_fp = "Please type 'yes', 'no' or the fingerprint: ";
569 char *p; 570 char *p;
570 int ret = -1; 571 int ret = -1;
571 572
572 if (options.batch_mode) 573 if (options.batch_mode)
573 return 0; 574 return 0;
574 for (msg = prompt;;msg = again) { 575 for (msg = prompt;;msg = fingerprint ? again_fp : again) {
575 p = read_passphrase(msg, RP_ECHO); 576 p = read_passphrase(msg, RP_ECHO);
576 if (p == NULL) 577 if (p == NULL)
577 return 0; 578 return 0;
578 p[strcspn(p, "\n")] = '\0'; 579 p[strcspn(p, "\n")] = '\0';
579 if (p[0] == '\0' || strcasecmp(p, "no") == 0) 580 if (p[0] == '\0' || strcasecmp(p, "no") == 0)
580 ret = 0; 581 ret = 0;
581 else if (strcasecmp(p, "yes") == 0) 582 else if (strcasecmp(p, "yes") == 0 || (fingerprint != NULL &&
583 strcasecmp(p, fingerprint) == 0))
582 ret = 1; 584 ret = 1;
583 free(p); 585 free(p);
584 if (ret != -1) 586 if (ret != -1)
@@ -706,7 +708,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
706 char msg[1024]; 708 char msg[1024];
707 const char *type; 709 const char *type;
708 const struct hostkey_entry *host_found, *ip_found; 710 const struct hostkey_entry *host_found, *ip_found;
709 int len, cancelled_forwarding = 0; 711 int len, cancelled_forwarding = 0, confirmed;
710 int local = sockaddr_is_local(hostaddr); 712 int local = sockaddr_is_local(hostaddr);
711 int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; 713 int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0;
712 int hostkey_trusted = 0; /* Known or explicitly accepted by user */ 714 int hostkey_trusted = 0; /* Known or explicitly accepted by user */
@@ -881,14 +883,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
881 "established%s\n" 883 "established%s\n"
882 "%s key fingerprint is %s.%s%s\n%s" 884 "%s key fingerprint is %s.%s%s\n%s"
883 "Are you sure you want to continue connecting " 885 "Are you sure you want to continue connecting "
884 "(yes/no)? ", 886 "(yes/no/[fingerprint])? ",
885 host, ip, msg1, type, fp, 887 host, ip, msg1, type, fp,
886 options.visual_host_key ? "\n" : "", 888 options.visual_host_key ? "\n" : "",
887 options.visual_host_key ? ra : "", 889 options.visual_host_key ? ra : "",
888 msg2); 890 msg2);
889 free(ra); 891 free(ra);
892 confirmed = confirm(msg, fp);
890 free(fp); 893 free(fp);
891 if (!confirm(msg)) 894 if (!confirmed)
892 goto fail; 895 goto fail;
893 hostkey_trusted = 1; /* user explicitly confirmed */ 896 hostkey_trusted = 1; /* user explicitly confirmed */
894 } 897 }
@@ -1082,7 +1085,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
1082 SSH_STRICT_HOSTKEY_ASK) { 1085 SSH_STRICT_HOSTKEY_ASK) {
1083 strlcat(msg, "\nAre you sure you want " 1086 strlcat(msg, "\nAre you sure you want "
1084 "to continue connecting (yes/no)? ", sizeof(msg)); 1087 "to continue connecting (yes/no)? ", sizeof(msg));
1085 if (!confirm(msg)) 1088 if (!confirm(msg, NULL))
1086 goto fail; 1089 goto fail;
1087 } else if (options.strict_host_key_checking != 1090 } else if (options.strict_host_key_checking !=
1088 SSH_STRICT_HOSTKEY_OFF) { 1091 SSH_STRICT_HOSTKEY_OFF) {