diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-28 16:40:05 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2000-12-28 16:40:05 +0000 |
commit | 4dccfa5fb73853e6c9281beac2c42a31391acdc7 (patch) | |
tree | 2a64c6b1e096010f2b5fd45a08f9878cac5d400e /sshconnect.c | |
parent | 42717bf8fff94146edf43ea266113f1a54456c62 (diff) |
- (bal) OpenBSD CVS Update
- markus@cvs.openbsd.org 2000/12/28 14:25:51
[auth.h auth2.c]
count authentication failures only
- markus@cvs.openbsd.org 2000/12/28 14:25:03
[sshconnect.c]
fingerprint for MITM attacks, too.
- markus@cvs.openbsd.org 2000/12/28 12:03:57
[sshd.8 sshd.c]
document -D
- markus@cvs.openbsd.org 2000/12/27 14:19:21
[serverloop.c]
less chatty
- markus@cvs.openbsd.org 2000/12/27 12:34
[auth1.c sshconnect2.c sshd.c]
typo
- markus@cvs.openbsd.org 2000/12/27 12:30:19
[readconf.c readconf.h ssh.1 sshconnect.c]
new option: HostKeyAlias: allow the user to record the host key
under a different name. This is useful for ssh tunneling over
forwarded connections or if you run multiple sshd's on different
ports on the same machine.
- markus@cvs.openbsd.org 2000/12/27 11:51:53
[ssh.1 ssh.c]
multiple -t force pty allocation, document ORIGINAL_COMMAND
- markus@cvs.openbsd.org 2000/12/27 11:41:31
[sshd.8]
update for ssh-2
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/sshconnect.c b/sshconnect.c index 647aec797..22e691424 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect.c,v 1.85 2000/12/21 15:10:17 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.87 2000/12/28 14:25:03 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
@@ -499,8 +499,13 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
499 | break; | 499 | break; |
500 | } | 500 | } |
501 | if (local) { | 501 | if (local) { |
502 | debug("Forcing accepting of host key for loopback/localhost."); | 502 | if (options.host_key_alias == NULL) { |
503 | return; | 503 | debug("Forcing accepting of host key for " |
504 | "loopback/localhost."); | ||
505 | return; | ||
506 | } | ||
507 | if (options.check_host_ip) | ||
508 | options.check_host_ip = 0; | ||
504 | } | 509 | } |
505 | 510 | ||
506 | /* | 511 | /* |
@@ -514,7 +519,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
514 | 519 | ||
515 | if (options.proxy_command == NULL) { | 520 | if (options.proxy_command == NULL) { |
516 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | 521 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), |
517 | NULL, 0, NI_NUMERICHOST) != 0) | 522 | NULL, 0, NI_NUMERICHOST) != 0) |
518 | fatal("check_host_key: getnameinfo failed"); | 523 | fatal("check_host_key: getnameinfo failed"); |
519 | ip = xstrdup(ntop); | 524 | ip = xstrdup(ntop); |
520 | } else { | 525 | } else { |
@@ -522,6 +527,16 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
522 | } | 527 | } |
523 | 528 | ||
524 | /* | 529 | /* |
530 | * Allow the user to record the key under a different name. This is | ||
531 | * useful for ssh tunneling over forwarded connections or if you run | ||
532 | * multiple sshd's on different ports on the same machine. | ||
533 | */ | ||
534 | if (options.host_key_alias != NULL) { | ||
535 | host = options.host_key_alias; | ||
536 | debug("using hostkeyalias: %s", host); | ||
537 | } | ||
538 | |||
539 | /* | ||
525 | * Store the host key from the known host file in here so that we can | 540 | * Store the host key from the known host file in here so that we can |
526 | * compare it with the key for the IP address. | 541 | * compare it with the key for the IP address. |
527 | */ | 542 | */ |
@@ -592,12 +607,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
592 | } else if (options.strict_host_key_checking == 2) { | 607 | } else if (options.strict_host_key_checking == 2) { |
593 | /* The default */ | 608 | /* The default */ |
594 | char prompt[1024]; | 609 | char prompt[1024]; |
595 | char *fp = key_fingerprint(host_key); | ||
596 | snprintf(prompt, sizeof(prompt), | 610 | snprintf(prompt, sizeof(prompt), |
597 | "The authenticity of host '%.200s (%s)' can't be established.\n" | 611 | "The authenticity of host '%.200s (%s)' can't be established.\n" |
598 | "%s key fingerprint is %s.\n" | 612 | "%s key fingerprint is %s.\n" |
599 | "Are you sure you want to continue connecting (yes/no)? ", | 613 | "Are you sure you want to continue connecting (yes/no)? ", |
600 | host, ip, type, fp); | 614 | host, ip, type, key_fingerprint(host_key)); |
601 | if (!read_yes_or_no(prompt, -1)) | 615 | if (!read_yes_or_no(prompt, -1)) |
602 | fatal("Aborted by user!\n"); | 616 | fatal("Aborted by user!\n"); |
603 | } | 617 | } |
@@ -642,9 +656,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
642 | error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); | 656 | error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); |
643 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); | 657 | error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); |
644 | error("It is also possible that the %s host key has just been changed.", type); | 658 | error("It is also possible that the %s host key has just been changed.", type); |
659 | error("The fingerprint for the %s key sent by the remote host is\n%s.", | ||
660 | type, key_fingerprint(host_key)); | ||
645 | error("Please contact your system administrator."); | 661 | error("Please contact your system administrator."); |
646 | error("Add correct host key in %.100s to get rid of this message.", | 662 | error("Add correct host key in %.100s to get rid of this message.", |
647 | user_hostfile); | 663 | user_hostfile); |
648 | error("Offending key in %s:%d", host_file, host_line); | 664 | error("Offending key in %s:%d", host_file, host_line); |
649 | 665 | ||
650 | /* | 666 | /* |