- dtucker@cvs.openbsd.org 2006/07/10 12:46:51

     [misc.c misc.h sshd.8 sshconnect.c]
     Add port identifier to known_hosts for non-default ports, based originally
     on a patch from Devin Nate in bz#910.
     For any connection using the default port or using a HostKeyAlias the
     format is unchanged, otherwise the host name or address is enclosed
     within square brackets in the same format as sshd's ListenAddress.
     Tested by many, ok markus@.

5 files changed, 53 insertions, 14 deletions

diff --git a/ChangeLog b/ChangeLog
index beb4a4fa2..56cee8708 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -96,6 +96,14 @@
      [channels.c]
      fix misparsing of SOCKS 5 packets that could result in a crash;
      reported by mk@ ok markus@
+   - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
+     [misc.c misc.h sshd.8 sshconnect.c]
+     Add port identifier to known_hosts for non-default ports, based originally
+     on a patch from Devin Nate in bz#910.
+     For any connection using the default port or using a HostKeyAlias the
+     format is unchanged, otherwise the host name or address is enclosed
+     within square brackets in the same format as sshd's ListenAddress.
+     Tested by many, ok markus@.
 
 20060706
  - (dtucker) [configure.ac] Try AIX blibpath test in different order when
@@ -4829,4 +4837,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4383 2006/07/10 12:21:02 djm Exp $
+$Id: ChangeLog,v 1.4384 2006/07/10 13:04:19 dtucker Exp $
diff --git a/misc.c b/misc.c
index 2abb14051..a65b1fded 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.55 2006/07/09 15:15:10 stevesk Exp $ */
+/* $OpenBSD: misc.c,v 1.56 2006/07/10 12:46:51 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -45,6 +45,7 @@
 #include "misc.h"
 #include "log.h"
 #include "xmalloc.h"
+#include "ssh.h"
 
 /* remove newline at end of string */
 char *
@@ -337,6 +338,23 @@ convtime(const char *s)
 }
 
 /*
+ * Returns a standardized host+port identifier string.
+ * Caller must free returned string.
+ */
+char *
+put_host_port(const char *host, u_short port)
+{
+        char *hoststr;
+
+        if (port == 0 || port == SSH_DEFAULT_PORT)
+                return(xstrdup(host));
+        if (asprintf(&hoststr, "[%s]:%d", host, (int)port) < 0)
+                fatal("put_host_port: asprintf: %s", strerror(errno));
+        debug3("put_host_port: %s", hoststr);
+        return hoststr;
+}
+
+/*
  * Search for next delimiter between hostnames/addresses and ports.
  * Argument may be modified (for termination).
  * Returns *cp if parsing succeeds.
diff --git a/misc.h b/misc.h
index f96328662..139a62e05 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.32 2006/07/06 16:03:53 stevesk Exp $ */
+/* $OpenBSD: misc.h,v 1.33 2006/07/10 12:46:51 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -28,6 +28,7 @@ int	 unset_nonblock(int);
 void     set_nodelay(int);
 int      a2port(const char *);
 int      a2tun(const char *, int *);
+char    *put_host_port(const char *, u_short);
 char    *hpdelim(char **);
 char    *cleanhostname(char *);
 char    *colon(char *);
diff --git a/sshconnect.c b/sshconnect.c
index 3bc455eb4..f8450eadf 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.188 2006/07/06 16:03:53 stevesk Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.189 2006/07/10 12:46:51 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -514,12 +514,12 @@ confirm(const char *prompt)
  * is not valid. the user_hostfile will not be updated if 'readonly' is true.
  */
 static int
-check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
+check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
     int readonly, const char *user_hostfile, const char *system_hostfile)
 {
         Key *file_key;
         const char *type = key_type(host_key);
-        char *ip = NULL;
+        char *ip = NULL, *host = NULL;
         char hostline[1000], *hostp, *fp;
         HostStatus host_status;
         HostStatus ip_status;
@@ -570,7 +570,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
                     NULL, 0, NI_NUMERICHOST) != 0)
                         fatal("check_host_key: getnameinfo failed");
-                ip = xstrdup(ntop);
+                ip = put_host_port(ntop, options.port);
         } else {
                 ip = xstrdup("<no hostip for proxy command>");
         }
@@ -578,18 +578,21 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
          * Turn off check_host_ip if the connection is to localhost, via proxy
          * command or if we don't have a hostname to compare with
          */
-        if (options.check_host_ip &&
-            (local || strcmp(host, ip) == 0 || options.proxy_command != NULL))
+        if (options.check_host_ip && (local ||
+            strcmp(hostname, ip) == 0 || options.proxy_command != NULL))
                 options.check_host_ip = 0;
 
         /*
-         * Allow the user to record the key under a different name. This is
-         * useful for ssh tunneling over forwarded connections or if you run
-         * multiple sshd's on different ports on the same machine.
+         * Allow the user to record the key under a different name or
+         * differentiate a non-standard port.  This is useful for ssh
+         * tunneling over forwarded connections or if you run multiple
+         * sshd's on different ports on the same machine.
          */
         if (options.host_key_alias != NULL) {
-                host = options.host_key_alias;
+                host = xstrdup(options.host_key_alias);
                 debug("using hostkeyalias: %s", host);
+        } else {
+                host = put_host_port(hostname, options.port);
         }
 
         /*
@@ -851,10 +854,12 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
         }
 
         xfree(ip);
+        xfree(host);
         return 0;
 
 fail:
         xfree(ip);
+        xfree(host);
         return -1;
 }
 
diff --git a/sshd.8 b/sshd.8
index 0bfd68505..f614b8dc3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.230 2006/02/24 20:31:31 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.231 2006/07/10 12:46:52 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -588,6 +588,13 @@ A pattern may also be preceded by
 to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
+A hostname or address may optionally be enclosed within
+.Ql \&[
+and
+.Ql \&]
+brackets then followed by
+.Ql \&:
+and and a non-standard port number.
 .Pp
 Alternately, hostnames may be stored in a hashed form which hides host names
 and addresses should the file's contents be disclosed.