summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2003-06-04 20:31:53 +1000
committerDamien Miller <djm@mindrot.org>2003-06-04 20:31:53 +1000
commit941ac459ce52af15caddcfafce3cf611138600ce (patch)
treec3c8f939d0c21c7cc3c032d9bd4dddc220d65a4f
parent2527f5755a76a51093ce212c98003f379a9479aa (diff)
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2003/06/04 08:25:18 [sshconnect.c] disable challenge/response and keyboard-interactive auth methods upon hostkey mismatch. based on patch from fcusack AT fcusack.com. bz #580; ok markus@
-rw-r--r--ChangeLog8
-rw-r--r--sshconnect.c15
2 files changed, 20 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index ee5624fec..70e2bb77f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,12 @@
5 Patch from larsch@trustcenter.de; ok markus@ 5 Patch from larsch@trustcenter.de; ok markus@
6 - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from 6 - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
7 larsch@trustcenter.de; ok markus@ 7 larsch@trustcenter.de; ok markus@
8 - (djm) OpenBSD CVS Sync
9 - djm@cvs.openbsd.org 2003/06/04 08:25:18
10 [sshconnect.c]
11 disable challenge/response and keyboard-interactive auth methods
12 upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
13 bz #580; ok markus@
8 14
920030603 1520030603
10 - (djm) Replace setproctitle replacement with code derived from 16 - (djm) Replace setproctitle replacement with code derived from
@@ -433,4 +439,4 @@
433 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 439 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
434 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 440 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
435 441
436$Id: ChangeLog,v 1.2773 2003/06/04 09:22:06 djm Exp $ 442$Id: ChangeLog,v 1.2774 2003/06/04 10:31:53 djm Exp $
diff --git a/sshconnect.c b/sshconnect.c
index 0ff4b2bcc..b8a77a2a3 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); 16RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19 19
@@ -796,7 +796,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
796 796
797 /* 797 /*
798 * If strict host key checking has not been requested, allow 798 * If strict host key checking has not been requested, allow
799 * the connection but without password authentication or 799 * the connection but without MITM-able authentication or
800 * agent forwarding. 800 * agent forwarding.
801 */ 801 */
802 if (options.password_authentication) { 802 if (options.password_authentication) {
@@ -804,6 +804,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
804 "man-in-the-middle attacks."); 804 "man-in-the-middle attacks.");
805 options.password_authentication = 0; 805 options.password_authentication = 0;
806 } 806 }
807 if (options.kbd_interactive_authentication) {
808 error("Keyboard-interactive authentication is disabled"
809 " to avoid man-in-the-middle attacks.");
810 options.kbd_interactive_authentication = 0;
811 options.challenge_response_authentication = 0;
812 }
813 if (options.challenge_response_authentication) {
814 error("Challenge/response authentication is disabled"
815 " to avoid man-in-the-middle attacks.");
816 options.challenge_response_authentication = 0;
817 }
807 if (options.forward_agent) { 818 if (options.forward_agent) {
808 error("Agent forwarding is disabled to avoid " 819 error("Agent forwarding is disabled to avoid "
809 "man-in-the-middle attacks."); 820 "man-in-the-middle attacks.");