diff options
| author | Damien Miller <djm@mindrot.org> | 2003-06-04 20:31:53 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-06-04 20:31:53 +1000 |
| commit | 941ac459ce52af15caddcfafce3cf611138600ce (patch) | |
| tree | c3c8f939d0c21c7cc3c032d9bd4dddc220d65a4f /sshconnect.c | |
| parent | 2527f5755a76a51093ce212c98003f379a9479aa (diff) | |
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2003/06/04 08:25:18
[sshconnect.c]
disable challenge/response and keyboard-interactive auth methods
upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
bz #580; ok markus@
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sshconnect.c b/sshconnect.c index 0ff4b2bcc..b8a77a2a3 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -13,7 +13,7 @@ | |||
| 13 | */ | 13 | */ |
| 14 | 14 | ||
| 15 | #include "includes.h" | 15 | #include "includes.h" |
| 16 | RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); |
| 17 | 17 | ||
| 18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
| 19 | 19 | ||
| @@ -796,7 +796,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 796 | 796 | ||
| 797 | /* | 797 | /* |
| 798 | * If strict host key checking has not been requested, allow | 798 | * If strict host key checking has not been requested, allow |
| 799 | * the connection but without password authentication or | 799 | * the connection but without MITM-able authentication or |
| 800 | * agent forwarding. | 800 | * agent forwarding. |
| 801 | */ | 801 | */ |
| 802 | if (options.password_authentication) { | 802 | if (options.password_authentication) { |
| @@ -804,6 +804,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 804 | "man-in-the-middle attacks."); | 804 | "man-in-the-middle attacks."); |
| 805 | options.password_authentication = 0; | 805 | options.password_authentication = 0; |
| 806 | } | 806 | } |
| 807 | if (options.kbd_interactive_authentication) { | ||
| 808 | error("Keyboard-interactive authentication is disabled" | ||
| 809 | " to avoid man-in-the-middle attacks."); | ||
| 810 | options.kbd_interactive_authentication = 0; | ||
| 811 | options.challenge_response_authentication = 0; | ||
| 812 | } | ||
| 813 | if (options.challenge_response_authentication) { | ||
| 814 | error("Challenge/response authentication is disabled" | ||
| 815 | " to avoid man-in-the-middle attacks."); | ||
| 816 | options.challenge_response_authentication = 0; | ||
| 817 | } | ||
| 807 | if (options.forward_agent) { | 818 | if (options.forward_agent) { |
| 808 | error("Agent forwarding is disabled to avoid " | 819 | error("Agent forwarding is disabled to avoid " |
| 809 | "man-in-the-middle attacks."); | 820 | "man-in-the-middle attacks."); |