diff options
author | Damien Miller <djm@mindrot.org> | 1999-11-16 13:37:16 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-11-16 13:37:16 +1100 |
commit | 7e8e820153a620ab1dcd81857a7de0969c41d043 (patch) | |
tree | 226cc4185feae97f4069ad60b4c18d259aa5df2f /sshconnect.c | |
parent | 4874c79a3a05fc18678d7a85d7091f5139630fac (diff) |
- Merged OpenBSD CVS changes:
- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c]
[mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c]
the keysize of rsa-parameter 'n' is passed implizit,
a few more checks and warnings about 'pretended' keysizes.
- [cipher.c cipher.h packet.c packet.h sshd.c]
remove support for cipher RC4
- [ssh.c]
a note for legay systems about secuity issues with permanently_set_uid(),
the private hostkey and ptrace()
- [sshconnect.c]
more detailed messages about adding and checking hostkeys
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/sshconnect.c b/sshconnect.c index f984bcaa0..17c660979 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -15,7 +15,7 @@ login (authentication) dialog. | |||
15 | */ | 15 | */ |
16 | 16 | ||
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | RCSID("$Id: sshconnect.c,v 1.8 1999/11/15 04:25:10 damien Exp $"); | 18 | RCSID("$Id: sshconnect.c,v 1.9 1999/11/16 02:37:17 damien Exp $"); |
19 | 19 | ||
20 | #ifdef HAVE_OPENSSL | 20 | #ifdef HAVE_OPENSSL |
21 | #include <openssl/bn.h> | 21 | #include <openssl/bn.h> |
@@ -339,7 +339,7 @@ int ssh_connect(const char *host, struct sockaddr_in *hostaddr, | |||
339 | int | 339 | int |
340 | try_agent_authentication() | 340 | try_agent_authentication() |
341 | { | 341 | { |
342 | int status, type, bits; | 342 | int status, type; |
343 | char *comment; | 343 | char *comment; |
344 | AuthenticationConnection *auth; | 344 | AuthenticationConnection *auth; |
345 | unsigned char response[16]; | 345 | unsigned char response[16]; |
@@ -356,9 +356,9 @@ try_agent_authentication() | |||
356 | challenge = BN_new(); | 356 | challenge = BN_new(); |
357 | 357 | ||
358 | /* Loop through identities served by the agent. */ | 358 | /* Loop through identities served by the agent. */ |
359 | for (status = ssh_get_first_identity(auth, &bits, e, n, &comment); | 359 | for (status = ssh_get_first_identity(auth, e, n, &comment); |
360 | status; | 360 | status; |
361 | status = ssh_get_next_identity(auth, &bits, e, n, &comment)) | 361 | status = ssh_get_next_identity(auth, e, n, &comment)) |
362 | { | 362 | { |
363 | int plen, clen; | 363 | int plen, clen; |
364 | 364 | ||
@@ -395,7 +395,7 @@ try_agent_authentication() | |||
395 | debug("Received RSA challenge from server."); | 395 | debug("Received RSA challenge from server."); |
396 | 396 | ||
397 | /* Ask the agent to decrypt the challenge. */ | 397 | /* Ask the agent to decrypt the challenge. */ |
398 | if (!ssh_decrypt_challenge(auth, bits, e, n, challenge, | 398 | if (!ssh_decrypt_challenge(auth, e, n, challenge, |
399 | session_id, 1, response)) | 399 | session_id, 1, response)) |
400 | { | 400 | { |
401 | /* The agent failed to authenticate this identifier although it | 401 | /* The agent failed to authenticate this identifier although it |
@@ -1128,19 +1128,15 @@ void ssh_login(int host_key_valid, | |||
1128 | SSH_SMSG_PUBLIC_KEY); | 1128 | SSH_SMSG_PUBLIC_KEY); |
1129 | 1129 | ||
1130 | /* Compute the session id. */ | 1130 | /* Compute the session id. */ |
1131 | compute_session_id(session_id, check_bytes, | 1131 | compute_session_id(session_id, check_bytes, host_key->n, public_key->n); |
1132 | BN_num_bits(host_key->n), host_key->n, | ||
1133 | BN_num_bits(public_key->n), public_key->n); | ||
1134 | 1132 | ||
1135 | /* Check if the host key is present in the user\'s list of known hosts | 1133 | /* Check if the host key is present in the user\'s list of known hosts |
1136 | or in the systemwide list. */ | 1134 | or in the systemwide list. */ |
1137 | host_status = check_host_in_hostfile(options.user_hostfile, | 1135 | host_status = check_host_in_hostfile(options.user_hostfile, host, |
1138 | host, BN_num_bits(host_key->n), | ||
1139 | host_key->e, host_key->n, | 1136 | host_key->e, host_key->n, |
1140 | file_key->e, file_key->n); | 1137 | file_key->e, file_key->n); |
1141 | if (host_status == HOST_NEW) | 1138 | if (host_status == HOST_NEW) |
1142 | host_status = check_host_in_hostfile(options.system_hostfile, host, | 1139 | host_status = check_host_in_hostfile(options.system_hostfile, host, |
1143 | BN_num_bits(host_key->n), | ||
1144 | host_key->e, host_key->n, | 1140 | host_key->e, host_key->n, |
1145 | file_key->e, file_key->n); | 1141 | file_key->e, file_key->n); |
1146 | /* Force accepting of the host key for localhost and 127.0.0.1. | 1142 | /* Force accepting of the host key for localhost and 127.0.0.1. |
@@ -1161,13 +1157,11 @@ void ssh_login(int host_key_valid, | |||
1161 | ip_key->n = BN_new(); | 1157 | ip_key->n = BN_new(); |
1162 | ip_key->e = BN_new(); | 1158 | ip_key->e = BN_new(); |
1163 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, | 1159 | ip_status = check_host_in_hostfile(options.user_hostfile, ip, |
1164 | BN_num_bits(host_key->n), | ||
1165 | host_key->e, host_key->n, | 1160 | host_key->e, host_key->n, |
1166 | ip_key->e, ip_key->n); | 1161 | ip_key->e, ip_key->n); |
1167 | 1162 | ||
1168 | if (ip_status == HOST_NEW) | 1163 | if (ip_status == HOST_NEW) |
1169 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, | 1164 | ip_status = check_host_in_hostfile(options.system_hostfile, ip, |
1170 | BN_num_bits(host_key->n), | ||
1171 | host_key->e, host_key->n, | 1165 | host_key->e, host_key->n, |
1172 | ip_key->e, ip_key->n); | 1166 | ip_key->e, ip_key->n); |
1173 | if (host_status == HOST_CHANGED && | 1167 | if (host_status == HOST_CHANGED && |
@@ -1188,14 +1182,15 @@ void ssh_login(int host_key_valid, | |||
1188 | if (options.check_host_ip) { | 1182 | if (options.check_host_ip) { |
1189 | if (ip_status == HOST_NEW) { | 1183 | if (ip_status == HOST_NEW) { |
1190 | if (!add_host_to_hostfile(options.user_hostfile, ip, | 1184 | if (!add_host_to_hostfile(options.user_hostfile, ip, |
1191 | BN_num_bits(host_key->n), | ||
1192 | host_key->e, host_key->n)) | 1185 | host_key->e, host_key->n)) |
1193 | log("Failed to add the host ip to the list of known hosts (%.30s).", | 1186 | log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", |
1194 | options.user_hostfile); | 1187 | ip, options.user_hostfile); |
1195 | else | 1188 | else |
1196 | log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip); | 1189 | log("Warning: Permanently added host key for IP address '%.30s' to the list of known hosts.", |
1190 | ip); | ||
1197 | } else if (ip_status != HOST_OK) | 1191 | } else if (ip_status != HOST_OK) |
1198 | log("Warning: the host key differ from the key of the ip address '%.30s' differs", ip); | 1192 | log("Warning: the host key for '%.200s' differs from the key for the IP address '%.30s'", |
1193 | host, ip); | ||
1199 | } | 1194 | } |
1200 | 1195 | ||
1201 | break; | 1196 | break; |
@@ -1226,7 +1221,6 @@ void ssh_login(int host_key_valid, | |||
1226 | /* If not in strict mode, add the key automatically to the local | 1221 | /* If not in strict mode, add the key automatically to the local |
1227 | known_hosts file. */ | 1222 | known_hosts file. */ |
1228 | if (!add_host_to_hostfile(options.user_hostfile, hostp, | 1223 | if (!add_host_to_hostfile(options.user_hostfile, hostp, |
1229 | BN_num_bits(host_key->n), | ||
1230 | host_key->e, host_key->n)) | 1224 | host_key->e, host_key->n)) |
1231 | log("Failed to add the host to the list of known hosts (%.500s).", | 1225 | log("Failed to add the host to the list of known hosts (%.500s).", |
1232 | options.user_hostfile); | 1226 | options.user_hostfile); |
@@ -1238,13 +1232,20 @@ void ssh_login(int host_key_valid, | |||
1238 | case HOST_CHANGED: | 1232 | case HOST_CHANGED: |
1239 | if (options.check_host_ip) { | 1233 | if (options.check_host_ip) { |
1240 | if (host_ip_differ) { | 1234 | if (host_ip_differ) { |
1235 | char *msg; | ||
1236 | if (ip_status == HOST_NEW) | ||
1237 | msg = "is unknown"; | ||
1238 | else if (ip_status == HOST_OK) | ||
1239 | msg = "is unchanged"; | ||
1240 | else | ||
1241 | msg = "has a different value"; | ||
1241 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | 1242 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
1242 | error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); | 1243 | error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); |
1243 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); | 1244 | error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
1244 | error("The host key for %s has changed,", host); | 1245 | error("The host key for %s has changed,", host); |
1245 | error("but the key for the according IP address %s has", ip); | 1246 | error("and the key for the according IP address %s", ip); |
1246 | error("a different status. This could either mean that DNS"); | 1247 | error("%s. This could either mean that", msg); |
1247 | error("SPOOFING is happening or the IP address for the host"); | 1248 | error("DNS SPOOFING is happening or the IP address for the host"); |
1248 | error("and its host key have changed at the same time"); | 1249 | error("and its host key have changed at the same time"); |
1249 | } | 1250 | } |
1250 | } | 1251 | } |
@@ -1391,8 +1392,7 @@ void ssh_login(int host_key_valid, | |||
1391 | debug("Sent encrypted session key."); | 1392 | debug("Sent encrypted session key."); |
1392 | 1393 | ||
1393 | /* Set the encryption key. */ | 1394 | /* Set the encryption key. */ |
1394 | packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, | 1395 | packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher); |
1395 | options.cipher, 1); | ||
1396 | 1396 | ||
1397 | /* We will no longer need the session key here. Destroy any extra copies. */ | 1397 | /* We will no longer need the session key here. Destroy any extra copies. */ |
1398 | memset(session_key, 0, sizeof(session_key)); | 1398 | memset(session_key, 0, sizeof(session_key)); |