diff options
| author | Damien Miller <djm@mindrot.org> | 2000-03-26 13:04:51 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-03-26 13:04:51 +1000 |
| commit | 450a7a1ff40fe7c2d84c93b83cf2df53445d807d (patch) | |
| tree | db6d08bdea65edd34ba2e323a31e2b1ca5e5fbd4 /sshconnect.c | |
| parent | 2c9279fa667827384fceb243f890cba1dbe480de (diff) | |
- OpenBSD CVS update
- [auth-krb4.c]
-Wall
- [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c]
[match.h ssh.c ssh.h sshconnect.c sshd.c]
initial support for DSA keys. ok deraadt@, niels@
- [cipher.c cipher.h]
remove unused cipher_attack_detected code
- [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
Fix some formatting problems I missed before.
- [ssh.1 sshd.8]
fix spelling errors, From: FreeBSD
- [ssh.c]
switch to raw mode only if he _get_ a pty (not if we _want_ a pty).
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 72 |
1 files changed, 35 insertions, 37 deletions
diff --git a/sshconnect.c b/sshconnect.c index 910548fac..d64c0e2c0 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -8,15 +8,19 @@ | |||
| 8 | */ | 8 | */ |
| 9 | 9 | ||
| 10 | #include "includes.h" | 10 | #include "includes.h" |
| 11 | RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); | 11 | RCSID("$OpenBSD: sshconnect.c,v 1.58 2000/03/23 22:15:33 markus Exp $"); |
| 12 | 12 | ||
| 13 | #ifdef HAVE_OPENSSL | 13 | #ifdef HAVE_OPENSSL |
| 14 | #include <openssl/bn.h> | 14 | #include <openssl/rsa.h> |
| 15 | #include <openssl/dsa.h> | ||
| 15 | #include <openssl/md5.h> | 16 | #include <openssl/md5.h> |
| 17 | #include <openssl/bn.h> | ||
| 16 | #endif | 18 | #endif |
| 17 | #ifdef HAVE_SSL | 19 | #ifdef HAVE_SSL |
| 18 | #include <ssl/bn.h> | 20 | #include <ssl/rsa.h> |
| 21 | #include <ssl/dsa.h> | ||
| 19 | #include <ssl/md5.h> | 22 | #include <ssl/md5.h> |
| 23 | #include <ssl/bn.h> | ||
| 20 | #endif | 24 | #endif |
| 21 | 25 | ||
| 22 | #include "xmalloc.h" | 26 | #include "xmalloc.h" |
| @@ -29,7 +33,8 @@ RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); | |||
| 29 | #include "uidswap.h" | 33 | #include "uidswap.h" |
| 30 | #include "compat.h" | 34 | #include "compat.h" |
| 31 | #include "readconf.h" | 35 | #include "readconf.h" |
| 32 | #include "fingerprint.h" | 36 | #include "key.h" |
| 37 | #include "hostfile.h" | ||
| 33 | 38 | ||
| 34 | /* Session id for the current session. */ | 39 | /* Session id for the current session. */ |
| 35 | unsigned char session_id[16]; | 40 | unsigned char session_id[16]; |
| @@ -1073,9 +1078,9 @@ read_yes_or_no(const char *prompt, int defval) | |||
| 1073 | */ | 1078 | */ |
| 1074 | 1079 | ||
| 1075 | void | 1080 | void |
| 1076 | check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | 1081 | check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) |
| 1077 | { | 1082 | { |
| 1078 | RSA *file_key; | 1083 | Key *file_key; |
| 1079 | char *ip = NULL; | 1084 | char *ip = NULL; |
| 1080 | char hostline[1000], *hostp; | 1085 | char hostline[1000], *hostp; |
| 1081 | HostStatus host_status; | 1086 | HostStatus host_status; |
| @@ -1129,47 +1134,34 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
| 1129 | * Store the host key from the known host file in here so that we can | 1134 | * Store the host key from the known host file in here so that we can |
| 1130 | * compare it with the key for the IP address. | 1135 | * compare it with the key for the IP address. |
| 1131 | */ | 1136 | */ |
| 1132 | file_key = RSA_new(); | 1137 | file_key = key_new(host_key->type); |
| 1133 | file_key->n = BN_new(); | ||
| 1134 | file_key->e = BN_new(); | ||
| 1135 | 1138 | ||
| 1136 | /* | 1139 | /* |
| 1137 | * Check if the host key is present in the user\'s list of known | 1140 | * Check if the host key is present in the user\'s list of known |
| 1138 | * hosts or in the systemwide list. | 1141 | * hosts or in the systemwide list. |
| 1139 | */ | 1142 | */ |
| 1140 | host_status = check_host_in_hostfile(options.user_hostfile, host, | 1143 | host_status = check_host_in_hostfile(options.user_hostfile, host, host_key, file_key); |
| 1141 | host_key->e, host_key->n, | ||
| 1142 | file_key->e, file_key->n); | ||
| 1143 | if (host_status == HOST_NEW) | 1144 | if (host_status == HOST_NEW) |
| 1144 | host_status = check_host_in_hostfile(options.system_hostfile, host, | 1145 | host_status = check_host_in_hostfile(options.system_hostfile, host, host_key, file_key); |
| 1145 | host_key->e, host_key->n, | ||
| 1146 | file_key->e, file_key->n); | ||
| 1147 | /* | 1146 | /* |
| 1148 | * Also perform check for the ip address, skip the check if we are | 1147 | * Also perform check for the ip address, skip the check if we are |
| 1149 | * localhost or the hostname was an ip address to begin with | 1148 | * localhost or the hostname was an ip address to begin with |
| 1150 | */ | 1149 | */ |
| 1151 | if (options.check_host_ip && !local && strcmp(host, ip)) { | 1150 | if (options.check_host_ip && !local && strcmp(host, ip)) { |
| 1152 | RSA *ip_key = RSA_new(); | 1151 | Key *ip_key = key_new(host_key->type); |
| 1153 | ip_key->n = BN_new(); | 1152 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, host_key, ip_key); |
| 1154 | ip_key->e = BN_new(); | ||
| 1155 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, | ||
| 1156 | host_key->e, host_key->n, | ||
| 1157 | ip_key->e, ip_key->n); | ||
| 1158 | 1153 | ||
| 1159 | if (ip_status == HOST_NEW) | 1154 | if (ip_status == HOST_NEW) |
| 1160 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, | 1155 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, host_key, ip_key); |
| 1161 | host_key->e, host_key->n, | ||
| 1162 | ip_key->e, ip_key->n); | ||
| 1163 | if (host_status == HOST_CHANGED && | 1156 | if (host_status == HOST_CHANGED && |
| 1164 | (ip_status != HOST_CHANGED || | 1157 | (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key))) |
| 1165 | (BN_cmp(ip_key->e, file_key->e) || BN_cmp(ip_key->n, file_key->n)))) | ||
| 1166 | host_ip_differ = 1; | 1158 | host_ip_differ = 1; |
| 1167 | 1159 | ||
| 1168 | RSA_free(ip_key); | 1160 | key_free(ip_key); |
| 1169 | } else | 1161 | } else |
| 1170 | ip_status = host_status; | 1162 | ip_status = host_status; |
| 1171 | 1163 | ||
| 1172 | RSA_free(file_key); | 1164 | key_free(file_key); |
| 1173 | 1165 | ||
| 1174 | switch (host_status) { | 1166 | switch (host_status) { |
| 1175 | case HOST_OK: | 1167 | case HOST_OK: |
| @@ -1177,8 +1169,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
| 1177 | debug("Host '%.200s' is known and matches the host key.", host); | 1169 | debug("Host '%.200s' is known and matches the host key.", host); |
| 1178 | if (options.check_host_ip) { | 1170 | if (options.check_host_ip) { |
| 1179 | if (ip_status == HOST_NEW) { | 1171 | if (ip_status == HOST_NEW) { |
| 1180 | if (!add_host_to_hostfile(options.user_hostfile, ip, | 1172 | if (!add_host_to_hostfile(options.user_hostfile, ip, host_key)) |
| 1181 | host_key->e, host_key->n)) | ||
| 1182 | log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", | 1173 | log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", |
| 1183 | ip, options.user_hostfile); | 1174 | ip, options.user_hostfile); |
| 1184 | else | 1175 | else |
| @@ -1198,12 +1189,12 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
| 1198 | } else if (options.strict_host_key_checking == 2) { | 1189 | } else if (options.strict_host_key_checking == 2) { |
| 1199 | /* The default */ | 1190 | /* The default */ |
| 1200 | char prompt[1024]; | 1191 | char prompt[1024]; |
| 1201 | char *fp = fingerprint(host_key->e, host_key->n); | 1192 | char *fp = key_fingerprint(host_key); |
| 1202 | snprintf(prompt, sizeof(prompt), | 1193 | snprintf(prompt, sizeof(prompt), |
| 1203 | "The authenticity of host '%.200s' can't be established.\n" | 1194 | "The authenticity of host '%.200s' can't be established.\n" |
| 1204 | "Key fingerprint is %d %s.\n" | 1195 | "Key fingerprint is %s.\n" |
| 1205 | "Are you sure you want to continue connecting (yes/no)? ", | 1196 | "Are you sure you want to continue connecting (yes/no)? ", |
| 1206 | host, BN_num_bits(host_key->n), fp); | 1197 | host, fp); |
| 1207 | if (!read_yes_or_no(prompt, -1)) | 1198 | if (!read_yes_or_no(prompt, -1)) |
| 1208 | fatal("Aborted by user!\n"); | 1199 | fatal("Aborted by user!\n"); |
| 1209 | } | 1200 | } |
| @@ -1214,8 +1205,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
| 1214 | hostp = host; | 1205 | hostp = host; |
| 1215 | 1206 | ||
| 1216 | /* If not in strict mode, add the key automatically to the local known_hosts file. */ | 1207 | /* If not in strict mode, add the key automatically to the local known_hosts file. */ |
| 1217 | if (!add_host_to_hostfile(options.user_hostfile, hostp, | 1208 | if (!add_host_to_hostfile(options.user_hostfile, hostp, host_key)) |
| 1218 | host_key->e, host_key->n)) | ||
| 1219 | log("Failed to add the host to the list of known hosts (%.500s).", | 1209 | log("Failed to add the host to the list of known hosts (%.500s).", |
| 1220 | options.user_hostfile); | 1210 | options.user_hostfile); |
| 1221 | else | 1211 | else |
| @@ -1283,6 +1273,14 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | |||
| 1283 | if (options.check_host_ip) | 1273 | if (options.check_host_ip) |
| 1284 | xfree(ip); | 1274 | xfree(ip); |
| 1285 | } | 1275 | } |
| 1276 | void | ||
| 1277 | check_rsa_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) | ||
| 1278 | { | ||
| 1279 | Key k; | ||
| 1280 | k.type = KEY_RSA; | ||
| 1281 | k.rsa = host_key; | ||
| 1282 | check_host_key(host, hostaddr, &k); | ||
| 1283 | } | ||
| 1286 | 1284 | ||
| 1287 | /* | 1285 | /* |
| 1288 | * SSH1 key exchange | 1286 | * SSH1 key exchange |
| @@ -1358,7 +1356,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr) | |||
| 1358 | 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, | 1356 | 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, |
| 1359 | SSH_SMSG_PUBLIC_KEY); | 1357 | SSH_SMSG_PUBLIC_KEY); |
| 1360 | 1358 | ||
| 1361 | check_host_key(host, hostaddr, host_key); | 1359 | check_rsa_host_key(host, hostaddr, host_key); |
| 1362 | 1360 | ||
| 1363 | client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; | 1361 | client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; |
| 1364 | 1362 | ||
| @@ -1617,7 +1615,6 @@ ssh_userauth(int host_key_valid, RSA *own_host_key, | |||
| 1617 | fatal("Permission denied."); | 1615 | fatal("Permission denied."); |
| 1618 | /* NOTREACHED */ | 1616 | /* NOTREACHED */ |
| 1619 | } | 1617 | } |
| 1620 | |||
| 1621 | /* | 1618 | /* |
| 1622 | * Starts a dialog with the server, and authenticates the current user on the | 1619 | * Starts a dialog with the server, and authenticates the current user on the |
| 1623 | * server. This does not need any extra privileges. The basic connection | 1620 | * server. This does not need any extra privileges. The basic connection |
| @@ -1648,6 +1645,7 @@ ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, | |||
| 1648 | ssh_kex(host, hostaddr); | 1645 | ssh_kex(host, hostaddr); |
| 1649 | if (supported_authentications == 0) | 1646 | if (supported_authentications == 0) |
| 1650 | fatal("supported_authentications == 0."); | 1647 | fatal("supported_authentications == 0."); |
| 1648 | |||
| 1651 | /* authenticate user */ | 1649 | /* authenticate user */ |
| 1652 | ssh_userauth(host_key_valid, own_host_key, original_real_uid, host); | 1650 | ssh_userauth(host_key_valid, own_host_key, original_real_uid, host); |
| 1653 | } | 1651 | } |