summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2008-07-02 22:33:55 +1000
committerDarren Tucker <dtucker@zip.com.au>2008-07-02 22:33:55 +1000
commit068e01f53f80e94491fd525f689c33b21948f8dd (patch)
treeed3f3f7cdaad4042868c5278fcf77f1908f03765
parent1f781b194fb83f8bc40d448de8162890d1eea93f (diff)
- dtucker@cvs.openbsd.org 2008/07/01 07:20:52
[sshconnect.c] Check ExitOnForwardFailure if forwardings are disabled due to a failed host key check. ok djm@
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--sshconnect.c15
2 files changed, 18 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index be4ed7e20..d7a516fa1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,10 @@
13 - djm@cvs.openbsd.org 2008/06/30 12:18:34 13 - djm@cvs.openbsd.org 2008/06/30 12:18:34
14 [PROTOCOL] 14 [PROTOCOL]
15 clarify that eow@openssh.com is only sent on session channels 15 clarify that eow@openssh.com is only sent on session channels
16 - dtucker@cvs.openbsd.org 2008/07/01 07:20:52
17 [sshconnect.c]
18 Check ExitOnForwardFailure if forwardings are disabled due to a failed
19 host key check. ok djm@
16 20
1720080630 2120080630
18 - (djm) OpenBSD CVS Sync 22 - (djm) OpenBSD CVS Sync
@@ -4496,4 +4500,4 @@
4496 OpenServer 6 and add osr5bigcrypt support so when someone migrates 4500 OpenServer 6 and add osr5bigcrypt support so when someone migrates
4497 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 4501 passwords between UnixWare and OpenServer they will still work. OK dtucker@
4498 4502
4499$Id: ChangeLog,v 1.5042 2008/07/02 12:33:16 dtucker Exp $ 4503$Id: ChangeLog,v 1.5043 2008/07/02 12:33:55 dtucker Exp $
diff --git a/sshconnect.c b/sshconnect.c
index 9c1550a96..8c5f66dd5 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.209 2008/06/26 11:46:31 grunk Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.210 2008/07/01 07:20:52 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -596,7 +596,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
596 int salen; 596 int salen;
597 char ntop[NI_MAXHOST]; 597 char ntop[NI_MAXHOST];
598 char msg[1024]; 598 char msg[1024];
599 int len, host_line, ip_line; 599 int len, host_line, ip_line, cancelled_forwarding = 0;
600 const char *host_file = NULL, *ip_file = NULL; 600 const char *host_file = NULL, *ip_file = NULL;
601 601
602 /* 602 /*
@@ -878,27 +878,32 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
878 error("Password authentication is disabled to avoid " 878 error("Password authentication is disabled to avoid "
879 "man-in-the-middle attacks."); 879 "man-in-the-middle attacks.");
880 options.password_authentication = 0; 880 options.password_authentication = 0;
881 cancelled_forwarding = 1;
881 } 882 }
882 if (options.kbd_interactive_authentication) { 883 if (options.kbd_interactive_authentication) {
883 error("Keyboard-interactive authentication is disabled" 884 error("Keyboard-interactive authentication is disabled"
884 " to avoid man-in-the-middle attacks."); 885 " to avoid man-in-the-middle attacks.");
885 options.kbd_interactive_authentication = 0; 886 options.kbd_interactive_authentication = 0;
886 options.challenge_response_authentication = 0; 887 options.challenge_response_authentication = 0;
888 cancelled_forwarding = 1;
887 } 889 }
888 if (options.challenge_response_authentication) { 890 if (options.challenge_response_authentication) {
889 error("Challenge/response authentication is disabled" 891 error("Challenge/response authentication is disabled"
890 " to avoid man-in-the-middle attacks."); 892 " to avoid man-in-the-middle attacks.");
891 options.challenge_response_authentication = 0; 893 options.challenge_response_authentication = 0;
894 cancelled_forwarding = 1;
892 } 895 }
893 if (options.forward_agent) { 896 if (options.forward_agent) {
894 error("Agent forwarding is disabled to avoid " 897 error("Agent forwarding is disabled to avoid "
895 "man-in-the-middle attacks."); 898 "man-in-the-middle attacks.");
896 options.forward_agent = 0; 899 options.forward_agent = 0;
900 cancelled_forwarding = 1;
897 } 901 }
898 if (options.forward_x11) { 902 if (options.forward_x11) {
899 error("X11 forwarding is disabled to avoid " 903 error("X11 forwarding is disabled to avoid "
900 "man-in-the-middle attacks."); 904 "man-in-the-middle attacks.");
901 options.forward_x11 = 0; 905 options.forward_x11 = 0;
906 cancelled_forwarding = 1;
902 } 907 }
903 if (options.num_local_forwards > 0 || 908 if (options.num_local_forwards > 0 ||
904 options.num_remote_forwards > 0) { 909 options.num_remote_forwards > 0) {
@@ -906,12 +911,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
906 "man-in-the-middle attacks."); 911 "man-in-the-middle attacks.");
907 options.num_local_forwards = 912 options.num_local_forwards =
908 options.num_remote_forwards = 0; 913 options.num_remote_forwards = 0;
914 cancelled_forwarding = 1;
909 } 915 }
910 if (options.tun_open != SSH_TUNMODE_NO) { 916 if (options.tun_open != SSH_TUNMODE_NO) {
911 error("Tunnel forwarding is disabled to avoid " 917 error("Tunnel forwarding is disabled to avoid "
912 "man-in-the-middle attacks."); 918 "man-in-the-middle attacks.");
913 options.tun_open = SSH_TUNMODE_NO; 919 options.tun_open = SSH_TUNMODE_NO;
920 cancelled_forwarding = 1;
914 } 921 }
922 if (options.exit_on_forward_failure && cancelled_forwarding)
923 fatal("Error: forwarding disabled due to host key "
924 "check failure");
925
915 /* 926 /*
916 * XXX Should permit the user to change to use the new id. 927 * XXX Should permit the user to change to use the new id.
917 * This could be done by converting the host key to an 928 * This could be done by converting the host key to an
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 01:52:41 +0000