diff options
| author | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
| commit | d925dcd8a5d1a3070061006788352bed93260582 (patch) | |
| tree | 12f78195086ff506d0f4e4c39098d675cdae0ee9 /auth.c | |
| parent | 03c0e533de56a1fc55ec1885d35c3197fdefbf94 (diff) | |
- djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 30 |
1 files changed, 18 insertions, 12 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.90 2010/11/23 02:35:50 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.91 2010/11/29 23:45:51 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -379,16 +379,15 @@ HostStatus | |||
| 379 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 379 | check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
| 380 | const char *sysfile, const char *userfile) | 380 | const char *sysfile, const char *userfile) |
| 381 | { | 381 | { |
| 382 | Key *found; | ||
| 383 | char *user_hostfile; | 382 | char *user_hostfile; |
| 384 | struct stat st; | 383 | struct stat st; |
| 385 | HostStatus host_status; | 384 | HostStatus host_status; |
| 385 | struct hostkeys *hostkeys; | ||
| 386 | const struct hostkey_entry *found; | ||
| 386 | 387 | ||
| 387 | /* Check if we know the host and its host key. */ | 388 | hostkeys = init_hostkeys(); |
| 388 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | 389 | load_hostkeys(hostkeys, host, sysfile); |
| 389 | host_status = check_host_in_hostfile(sysfile, host, key, found, NULL); | 390 | if (userfile != NULL) { |
| 390 | |||
| 391 | if (host_status != HOST_OK && userfile != NULL) { | ||
| 392 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 391 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
| 393 | if (options.strict_modes && | 392 | if (options.strict_modes && |
| 394 | (stat(user_hostfile, &st) == 0) && | 393 | (stat(user_hostfile, &st) == 0) && |
| @@ -401,16 +400,23 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
| 401 | user_hostfile); | 400 | user_hostfile); |
| 402 | } else { | 401 | } else { |
| 403 | temporarily_use_uid(pw); | 402 | temporarily_use_uid(pw); |
| 404 | host_status = check_host_in_hostfile(user_hostfile, | 403 | load_hostkeys(hostkeys, host, user_hostfile); |
| 405 | host, key, found, NULL); | ||
| 406 | restore_uid(); | 404 | restore_uid(); |
| 407 | } | 405 | } |
| 408 | xfree(user_hostfile); | 406 | xfree(user_hostfile); |
| 409 | } | 407 | } |
| 410 | key_free(found); | 408 | host_status = check_key_in_hostkeys(hostkeys, key, &found); |
| 409 | if (host_status == HOST_REVOKED) | ||
| 410 | error("WARNING: revoked key for %s attempted authentication", | ||
| 411 | found->host); | ||
| 412 | else if (host_status == HOST_OK) | ||
| 413 | debug("%s: key for %s found at %s:%ld", __func__, | ||
| 414 | found->host, found->file, found->line); | ||
| 415 | else | ||
| 416 | debug("%s: key for host %s not found", __func__, host); | ||
| 417 | |||
| 418 | free_hostkeys(hostkeys); | ||
| 411 | 419 | ||
| 412 | debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ? | ||
| 413 | "ok" : "not found", host); | ||
| 414 | return host_status; | 420 | return host_status; |
| 415 | } | 421 | } |
| 416 | 422 | ||