diff options
author | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
commit | d925dcd8a5d1a3070061006788352bed93260582 (patch) | |
tree | 12f78195086ff506d0f4e4c39098d675cdae0ee9 /auth.c | |
parent | 03c0e533de56a1fc55ec1885d35c3197fdefbf94 (diff) |
- djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 30 |
1 files changed, 18 insertions, 12 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.90 2010/11/23 02:35:50 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.91 2010/11/29 23:45:51 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -379,16 +379,15 @@ HostStatus | |||
379 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 379 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
380 | const char *sysfile, const char *userfile) | 380 | const char *sysfile, const char *userfile) |
381 | { | 381 | { |
382 | Key *found; | ||
383 | char *user_hostfile; | 382 | char *user_hostfile; |
384 | struct stat st; | 383 | struct stat st; |
385 | HostStatus host_status; | 384 | HostStatus host_status; |
385 | struct hostkeys *hostkeys; | ||
386 | const struct hostkey_entry *found; | ||
386 | 387 | ||
387 | /* Check if we know the host and its host key. */ | 388 | hostkeys = init_hostkeys(); |
388 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | 389 | load_hostkeys(hostkeys, host, sysfile); |
389 | host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); | 390 | if (userfile != NULL) { |
390 | |||
391 | if (host_status != HOST_OK && userfile != NULL) { | ||
392 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 391 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
393 | if (options.strict_modes && | 392 | if (options.strict_modes && |
394 | (stat(user_hostfile, &st) == 0) && | 393 | (stat(user_hostfile, &st) == 0) && |
@@ -401,16 +400,23 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
401 | user_hostfile); | 400 | user_hostfile); |
402 | } else { | 401 | } else { |
403 | temporarily_use_uid(pw); | 402 | temporarily_use_uid(pw); |
404 | host_status = check_host_in_hostfile(user_hostfile, | 403 | load_hostkeys(hostkeys, host, user_hostfile); |
405 | host, key, found, NULL); | ||
406 | restore_uid(); | 404 | restore_uid(); |
407 | } | 405 | } |
408 | xfree(user_hostfile); | 406 | xfree(user_hostfile); |
409 | } | 407 | } |
410 | key_free(found); | 408 | host_status = check_key_in_hostkeys(hostkeys, key, &found); |
409 | if (host_status == HOST_REVOKED) | ||
410 | error("WARNING: revoked key for %s attempted authentication", | ||
411 | found->host); | ||
412 | else if (host_status == HOST_OK) | ||
413 | debug("%s: key for %s found at %s:%ld", __func__, | ||
414 | found->host, found->file, found->line); | ||
415 | else | ||
416 | debug("%s: key for host %s not found", __func__, host); | ||
417 | |||
418 | free_hostkeys(hostkeys); | ||
411 | 419 | ||
412 | debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ? | ||
413 | "ok" : "not found", host); | ||
414 | return host_status; | 420 | return host_status; |
415 | } | 421 | } |
416 | 422 | ||