- Merged OpenBSD CVS changes:

- [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] the keysize of rsa-parameter 'n' is passed implizit, a few more checks and warnings about 'pretended' keysizes. - [cipher.c cipher.h packet.c packet.h sshd.c] remove support for cipher RC4 - [ssh.c] a note for legay systems about secuity issues with permanently_set_uid(), the private hostkey and ptrace() - [sshconnect.c] more detailed messages about adding and checking hostkeys
author: Damien Miller <djm@mindrot.org> 1999-11-16 13:37:16 +1100
committer: Damien Miller <djm@mindrot.org> 1999-11-16 13:37:16 +1100
commit: 7e8e820153a620ab1dcd81857a7de0969c41d043 (patch)
tree: 226cc4185feae97f4069ad60b4c18d259aa5df2f /sshconnect.c
parent: 4874c79a3a05fc18678d7a85d7091f5139630fac (diff)
1 files changed, 24 insertions, 24 deletions
diff --git a/sshconnect.c b/sshconnect.c
index f984bcaa0..17c660979 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -15,7 +15,7 @@ login (authentication) dialog.
 */
 #include "includes.h"
-RCSID("$Id: sshconnect.c,v 1.8 1999/11/15 04:25:10 damien Exp $");
+RCSID("$Id: sshconnect.c,v 1.9 1999/11/16 02:37:17 damien Exp $");
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
@@ -339,7 +339,7 @@ int ssh_connect(const char *host, struct sockaddr_in *hostaddr,
 int
 try_agent_authentication()
 {
-  int status, type, bits;
+  int status, type;
  char *comment;
  AuthenticationConnection *auth;
  unsigned char response[16];
@@ -356,9 +356,9 @@ try_agent_authentication()
  challenge = BN_new();
  
  /* Loop through identities served by the agent. */
-  for (status = ssh_get_first_identity(auth, &bits, e, n, &comment);
+  for (status = ssh_get_first_identity(auth, e, n, &comment);
       status;
-       status = ssh_get_next_identity(auth, &bits, e, n, &comment))
+       status = ssh_get_next_identity(auth, e, n, &comment))
    {
      int plen, clen;
@@ -395,7 +395,7 @@ try_agent_authentication()
      debug("Received RSA challenge from server.");
      
      /* Ask the agent to decrypt the challenge. */
-      if (!ssh_decrypt_challenge(auth, bits, e, n, challenge, 
+      if (!ssh_decrypt_challenge(auth, e, n, challenge, 
                                 session_id, 1, response))
        {
          /* The agent failed to authenticate this identifier although it
@@ -1128,19 +1128,15 @@ void ssh_login(int host_key_valid,
                         SSH_SMSG_PUBLIC_KEY);
  /* Compute the session id. */
-  compute_session_id(session_id, check_bytes, 
+  compute_session_id(session_id, check_bytes, host_key->n, public_key->n);
-                     BN_num_bits(host_key->n), host_key->n, 
-                     BN_num_bits(public_key->n), public_key->n);
  /* Check if the host key is present in the user\'s list of known hosts
     or in the systemwide list. */
-  host_status = check_host_in_hostfile(options.user_hostfile, 
+  host_status = check_host_in_hostfile(options.user_hostfile, host,
-                                       host, BN_num_bits(host_key->n), 
                                       host_key->e, host_key->n,
                                       file_key->e, file_key->n);
  if (host_status == HOST_NEW)
    host_status = check_host_in_hostfile(options.system_hostfile, host, 
-                                         BN_num_bits(host_key->n),
                                         host_key->e, host_key->n,
                                         file_key->e, file_key->n);
  /* Force accepting of the host key for localhost and 127.0.0.1.
@@ -1161,13 +1157,11 @@ void ssh_login(int host_key_valid,
    ip_key->n = BN_new();
    ip_key->e = BN_new();
    ip_status = check_host_in_hostfile(options.user_hostfile, ip,
-                                       BN_num_bits(host_key->n),
                                       host_key->e, host_key->n,
                                       ip_key->e, ip_key->n);
    if (ip_status == HOST_NEW)
      ip_status = check_host_in_hostfile(options.system_hostfile, ip,
-                                         BN_num_bits(host_key->n),
                                         host_key->e, host_key->n,
                                         ip_key->e, ip_key->n);
    if (host_status == HOST_CHANGED &&
@@ -1188,14 +1182,15 @@ void ssh_login(int host_key_valid,
    if (options.check_host_ip) {
      if (ip_status == HOST_NEW) {
        if (!add_host_to_hostfile(options.user_hostfile, ip,
-                                  BN_num_bits(host_key->n), 
                                  host_key->e, host_key->n))
-          log("Failed to add the host ip to the list of known hosts (%.30s).", 
+          log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", 
-              options.user_hostfile);
+              ip, options.user_hostfile);
        else
-          log("Warning: Permanently added host ip '%.30s' to the list of known hosts.", ip);
+          log("Warning: Permanently added host key for IP address '%.30s' to the list of known hosts.",
+               ip);
      } else if (ip_status != HOST_OK)
-        log("Warning: the host key differ from the key of the ip address '%.30s' differs", ip);
+        log("Warning: the host key for '%.200s' differs from the key for the IP address '%.30s'",
+            host, ip);
    }
    
    break;
@@ -1226,7 +1221,6 @@ void ssh_login(int host_key_valid,
      /* If not in strict mode, add the key automatically to the local
         known_hosts file. */
      if (!add_host_to_hostfile(options.user_hostfile, hostp,
-                                BN_num_bits(host_key->n), 
                                host_key->e, host_key->n))
        log("Failed to add the host to the list of known hosts (%.500s).", 
            options.user_hostfile);
@@ -1238,13 +1232,20 @@ void ssh_login(int host_key_valid,
  case HOST_CHANGED:
    if (options.check_host_ip) {
      if (host_ip_differ) {
+        char *msg;
+        if (ip_status == HOST_NEW)
+          msg = "is unknown";
+        else if (ip_status == HOST_OK)
+          msg = "is unchanged";
+        else 
+          msg = "has a different value";
        error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
        error("@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @");
        error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
        error("The host key for %s has changed,", host);
-        error("but the key for the according IP address %s has", ip);
+        error("and the key for the according IP address %s", ip);
-        error("a different status.  This could either mean that DNS");
+        error("%s. This could either mean that", msg);
-        error("SPOOFING is happening or the IP address for the host");
+        error("DNS SPOOFING is happening or the IP address for the host");
        error("and its host key have changed at the same time");
      }
    }
@@ -1391,8 +1392,7 @@ void ssh_login(int host_key_valid,
  debug("Sent encrypted session key.");
  
  /* Set the encryption key. */
-  packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, 
+  packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
-                            options.cipher, 1);
  /* We will no longer need the session key here.  Destroy any extra copies. */
  memset(session_key, 0, sizeof(session_key));
author	Damien Miller <djm@mindrot.org>	1999-11-16 13:37:16 +1100
committer	Damien Miller <djm@mindrot.org>	1999-11-16 13:37:16 +1100
commit	7e8e820153a620ab1dcd81857a7de0969c41d043 (patch)
tree	226cc4185feae97f4069ad60b4c18d259aa5df2f /sshconnect.c
parent	4874c79a3a05fc18678d7a85d7091f5139630fac (diff)