diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-03 03:51:15 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-03 03:51:15 +0000 |
| commit | 5c1fbabc5d2cd082add2c5cdbbf3749c81d61892 (patch) | |
| tree | ef28c64a4634d672297e6c55989f82c72d77ed8b | |
| parent | 88c33974b2a8ace947fa012348cb1e12e04cf615 (diff) | |
20010103
- (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD
tree (mainly positioning)
- (bal) OpenSSH CVS Update
- markus@cvs.openbsd.org 2001/01/02 20:41:02
[packet.c]
log remote ip on disconnect; PR 1600 from jcs@rt.fm
- markus@cvs.openbsd.org 2001/01/02 20:50:56
[sshconnect.c]
strict_host_key_checking for host_status != HOST_CHANGED &&
ip_status == HOST_CHANGED
| -rw-r--r-- | ChangeLog | 12 | ||||
| -rw-r--r-- | packet.c | 8 | ||||
| -rw-r--r-- | sshconnect.c | 96 |
3 files changed, 68 insertions, 48 deletions
| @@ -1,3 +1,15 @@ | |||
| 1 | 20010103 | ||
| 2 | - (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD | ||
| 3 | tree (mainly positioning) | ||
| 4 | - (bal) OpenSSH CVS Update | ||
| 5 | - markus@cvs.openbsd.org 2001/01/02 20:41:02 | ||
| 6 | [packet.c] | ||
| 7 | log remote ip on disconnect; PR 1600 from jcs@rt.fm | ||
| 8 | - markus@cvs.openbsd.org 2001/01/02 20:50:56 | ||
| 9 | [sshconnect.c] | ||
| 10 | strict_host_key_checking for host_status != HOST_CHANGED && | ||
| 11 | ip_status == HOST_CHANGED | ||
| 12 | |||
| 1 | 20010102 | 13 | 20010102 |
| 2 | - (bal) OpenBSD CVS Update | 14 | - (bal) OpenBSD CVS Update |
| 3 | - markus@cvs.openbsd.org 2001/01/01 14:52:49 | 15 | - markus@cvs.openbsd.org 2001/01/01 14:52:49 |
| @@ -37,7 +37,7 @@ | |||
| 37 | */ | 37 | */ |
| 38 | 38 | ||
| 39 | #include "includes.h" | 39 | #include "includes.h" |
| 40 | RCSID("$OpenBSD: packet.c,v 1.40 2000/12/19 23:17:57 markus Exp $"); | 40 | RCSID("$OpenBSD: packet.c,v 1.41 2001/01/02 20:41:02 markus Exp $"); |
| 41 | 41 | ||
| 42 | #include "xmalloc.h" | 42 | #include "xmalloc.h" |
| 43 | #include "buffer.h" | 43 | #include "buffer.h" |
| @@ -979,7 +979,8 @@ packet_read_poll(int *payload_len_ptr) | |||
| 979 | case SSH2_MSG_DISCONNECT: | 979 | case SSH2_MSG_DISCONNECT: |
| 980 | reason = packet_get_int(); | 980 | reason = packet_get_int(); |
| 981 | msg = packet_get_string(NULL); | 981 | msg = packet_get_string(NULL); |
| 982 | log("Received disconnect: %d: %.900s", reason, msg); | 982 | log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(), |
| 983 | reason, msg); | ||
| 983 | xfree(msg); | 984 | xfree(msg); |
| 984 | fatal_cleanup(); | 985 | fatal_cleanup(); |
| 985 | break; | 986 | break; |
| @@ -998,7 +999,8 @@ packet_read_poll(int *payload_len_ptr) | |||
| 998 | break; | 999 | break; |
| 999 | case SSH_MSG_DISCONNECT: | 1000 | case SSH_MSG_DISCONNECT: |
| 1000 | msg = packet_get_string(NULL); | 1001 | msg = packet_get_string(NULL); |
| 1001 | log("Received disconnect: %.900s", msg); | 1002 | log("Received disconnect from %s: %.400s", get_remote_ipaddr(), |
| 1003 | msg); | ||
| 1002 | fatal_cleanup(); | 1004 | fatal_cleanup(); |
| 1003 | xfree(msg); | 1005 | xfree(msg); |
| 1004 | break; | 1006 | break; |
diff --git a/sshconnect.c b/sshconnect.c index 22e691424..2102bef6f 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -13,7 +13,7 @@ | |||
| 13 | */ | 13 | */ |
| 14 | 14 | ||
| 15 | #include "includes.h" | 15 | #include "includes.h" |
| 16 | RCSID("$OpenBSD: sshconnect.c,v 1.87 2000/12/28 14:25:03 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.88 2001/01/02 20:50:56 markus Exp $"); |
| 17 | 17 | ||
| 18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
| 19 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
| @@ -417,7 +417,7 @@ read_yes_or_no(const char *prompt, int defval) | |||
| 417 | FILE *f; | 417 | FILE *f; |
| 418 | int retval = -1; | 418 | int retval = -1; |
| 419 | 419 | ||
| 420 | if (isatty(0)) | 420 | if (isatty(STDIN_FILENO)) |
| 421 | f = stdin; | 421 | f = stdin; |
| 422 | else | 422 | else |
| 423 | f = fopen("/dev/tty", "rw"); | 423 | f = fopen("/dev/tty", "rw"); |
| @@ -472,7 +472,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 472 | int local = 0, host_ip_differ = 0; | 472 | int local = 0, host_ip_differ = 0; |
| 473 | int salen; | 473 | int salen; |
| 474 | char ntop[NI_MAXHOST]; | 474 | char ntop[NI_MAXHOST]; |
| 475 | int host_line = -1, ip_line = -1; | 475 | int host_line, ip_line; |
| 476 | const char *host_file = NULL, *ip_file = NULL; | 476 | const char *host_file = NULL, *ip_file = NULL; |
| 477 | 477 | ||
| 478 | /* | 478 | /* |
| @@ -498,38 +498,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 498 | salen = sizeof(struct sockaddr_storage); | 498 | salen = sizeof(struct sockaddr_storage); |
| 499 | break; | 499 | break; |
| 500 | } | 500 | } |
| 501 | if (local) { | 501 | if (local && options.host_key_alias == NULL) { |
| 502 | if (options.host_key_alias == NULL) { | 502 | debug("Forcing accepting of host key for " |
| 503 | debug("Forcing accepting of host key for " | 503 | "loopback/localhost."); |
| 504 | "loopback/localhost."); | 504 | return; |
| 505 | return; | ||
| 506 | } | ||
| 507 | if (options.check_host_ip) | ||
| 508 | options.check_host_ip = 0; | ||
| 509 | } | 505 | } |
| 510 | 506 | ||
| 511 | /* | 507 | /* |
| 512 | * Turn off check_host_ip for proxy connects, since | 508 | * We don't have the remote ip-address for connections |
| 513 | * we don't have the remote ip-address | 509 | * using a proxy command |
| 510 | */ | ||
| 511 | if (options.proxy_command == NULL) { | ||
| 512 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | ||
| 513 | NULL, 0, NI_NUMERICHOST) != 0) | ||
| 514 | fatal("check_host_key: getnameinfo failed"); | ||
| 515 | ip = xstrdup(ntop); | ||
| 516 | } else { | ||
| 517 | ip = xstrdup("<no hostip for proxy command>"); | ||
| 518 | } | ||
| 519 | /* | ||
| 520 | * Turn off check_host_ip if the connection is to localhost, via proxy | ||
| 521 | * command or if we don't have a hostname to compare with | ||
| 514 | */ | 522 | */ |
| 515 | if (options.proxy_command != NULL && options.check_host_ip) | 523 | if (options.check_host_ip && |
| 524 | (local || strcmp(host, ip) == 0 || options.proxy_command != NULL)) | ||
| 516 | options.check_host_ip = 0; | 525 | options.check_host_ip = 0; |
| 517 | 526 | ||
| 518 | |||
| 519 | |||
| 520 | if (options.proxy_command == NULL) { | ||
| 521 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | ||
| 522 | NULL, 0, NI_NUMERICHOST) != 0) | ||
| 523 | fatal("check_host_key: getnameinfo failed"); | ||
| 524 | ip = xstrdup(ntop); | ||
| 525 | } else { | ||
| 526 | ip = xstrdup("<no hostip for proxy command>"); | ||
| 527 | } | ||
| 528 | |||
| 529 | /* | 527 | /* |
| 530 | * Allow the user to record the key under a different name. This is | 528 | * Allow the user to record the key under a different name. This is |
| 531 | * useful for ssh tunneling over forwarded connections or if you run | 529 | * useful for ssh tunneling over forwarded connections or if you run |
| 532 | * multiple sshd's on different ports on the same machine. | 530 | * multiple sshd's on different ports on the same machine. |
| 533 | */ | 531 | */ |
| 534 | if (options.host_key_alias != NULL) { | 532 | if (options.host_key_alias != NULL) { |
| 535 | host = options.host_key_alias; | 533 | host = options.host_key_alias; |
| @@ -556,7 +554,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 556 | * Also perform check for the ip address, skip the check if we are | 554 | * Also perform check for the ip address, skip the check if we are |
| 557 | * localhost or the hostname was an ip address to begin with | 555 | * localhost or the hostname was an ip address to begin with |
| 558 | */ | 556 | */ |
| 559 | if (options.check_host_ip && !local && strcmp(host, ip)) { | 557 | if (options.check_host_ip) { |
| 560 | Key *ip_key = key_new(host_key->type); | 558 | Key *ip_key = key_new(host_key->type); |
| 561 | 559 | ||
| 562 | ip_file = user_hostfile; | 560 | ip_file = user_hostfile; |
| @@ -581,21 +579,13 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 581 | debug("Host '%.200s' is known and matches the %s host key.", | 579 | debug("Host '%.200s' is known and matches the %s host key.", |
| 582 | host, type); | 580 | host, type); |
| 583 | debug("Found key in %s:%d", host_file, host_line); | 581 | debug("Found key in %s:%d", host_file, host_line); |
| 584 | if (options.check_host_ip) { | 582 | if (options.check_host_ip && ip_status == HOST_NEW) { |
| 585 | if (ip_status == HOST_NEW) { | 583 | if (!add_host_to_hostfile(user_hostfile, ip, host_key)) |
| 586 | if (!add_host_to_hostfile(user_hostfile, ip, host_key)) | 584 | log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", |
| 587 | log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", | 585 | type, ip, user_hostfile); |
| 588 | type, ip, user_hostfile); | 586 | else |
| 589 | else | 587 | log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", |
| 590 | log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", | 588 | type, ip); |
| 591 | type, ip); | ||
| 592 | } else if (ip_status != HOST_OK) { | ||
| 593 | log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'", | ||
| 594 | type, host, ip); | ||
| 595 | log("Found key in %s:%d", host_file, host_line); | ||
| 596 | if (ip_line != -1) | ||
| 597 | log("Offending key for IP in %s:%d", ip_file, ip_line); | ||
| 598 | } | ||
| 599 | } | 589 | } |
| 600 | break; | 590 | break; |
| 601 | case HOST_NEW: | 591 | case HOST_NEW: |
| @@ -615,7 +605,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 615 | if (!read_yes_or_no(prompt, -1)) | 605 | if (!read_yes_or_no(prompt, -1)) |
| 616 | fatal("Aborted by user!\n"); | 606 | fatal("Aborted by user!\n"); |
| 617 | } | 607 | } |
| 618 | if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) { | 608 | if (options.check_host_ip && ip_status == HOST_NEW) { |
| 619 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); | 609 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); |
| 620 | hostp = hostline; | 610 | hostp = hostline; |
| 621 | } else | 611 | } else |
| @@ -646,7 +636,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 646 | error("%s. This could either mean that", msg); | 636 | error("%s. This could either mean that", msg); |
| 647 | error("DNS SPOOFING is happening or the IP address for the host"); | 637 | error("DNS SPOOFING is happening or the IP address for the host"); |
| 648 | error("and its host key have changed at the same time."); | 638 | error("and its host key have changed at the same time."); |
| 649 | if (ip_line != -1) | 639 | if (ip_status != HOST_NEW) |
| 650 | error("Offending key for IP in %s:%d", ip_file, ip_line); | 640 | error("Offending key for IP in %s:%d", ip_file, ip_line); |
| 651 | } | 641 | } |
| 652 | /* The host key has changed. */ | 642 | /* The host key has changed. */ |
| @@ -701,6 +691,22 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 701 | break; | 691 | break; |
| 702 | } | 692 | } |
| 703 | 693 | ||
| 694 | if (options.check_host_ip && host_status != HOST_CHANGED && | ||
| 695 | ip_status == HOST_CHANGED) { | ||
| 696 | log("Warning: the %s host key for '%.200s' " | ||
| 697 | "differs from the key for the IP address '%.30s'", | ||
| 698 | type, host, ip); | ||
| 699 | if (host_status == HOST_OK) | ||
| 700 | log("Matching host key in %s:%d", host_file, host_line); | ||
| 701 | log("Offending key for IP in %s:%d", ip_file, ip_line); | ||
| 702 | if (options.strict_host_key_checking == 1) { | ||
| 703 | fatal("Exiting, you have requested strict checking."); | ||
| 704 | } else if (options.strict_host_key_checking == 2) { | ||
| 705 | if (!read_yes_or_no("Continue?", -1)) | ||
| 706 | fatal("Aborted by user!\n"); | ||
| 707 | } | ||
| 708 | } | ||
| 709 | |||
| 704 | xfree(ip); | 710 | xfree(ip); |
| 705 | } | 711 | } |
| 706 | 712 | ||