diff options
| author | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-12-01 12:21:51 +1100 |
| commit | d925dcd8a5d1a3070061006788352bed93260582 (patch) | |
| tree | 12f78195086ff506d0f4e4c39098d675cdae0ee9 /sshconnect.c | |
| parent | 03c0e533de56a1fc55ec1885d35c3197fdefbf94 (diff) | |
- djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 291 |
1 files changed, 153 insertions, 138 deletions
diff --git a/sshconnect.c b/sshconnect.c index 78068c602..064bb74b3 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.228 2010/10/06 21:10:21 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.229 2010/11/29 23:45:51 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -75,7 +75,7 @@ extern char *__progname; | |||
| 75 | extern uid_t original_real_uid; | 75 | extern uid_t original_real_uid; |
| 76 | extern uid_t original_effective_uid; | 76 | extern uid_t original_effective_uid; |
| 77 | 77 | ||
| 78 | static int show_other_keys(const char *, Key *); | 78 | static int show_other_keys(struct hostkeys *, Key *); |
| 79 | static void warn_changed_key(Key *); | 79 | static void warn_changed_key(Key *); |
| 80 | 80 | ||
| 81 | /* | 81 | /* |
| @@ -607,6 +607,79 @@ check_host_cert(const char *host, const Key *host_key) | |||
| 607 | return 1; | 607 | return 1; |
| 608 | } | 608 | } |
| 609 | 609 | ||
| 610 | static int | ||
| 611 | sockaddr_is_local(struct sockaddr *hostaddr) | ||
| 612 | { | ||
| 613 | switch (hostaddr->sa_family) { | ||
| 614 | case AF_INET: | ||
| 615 | return (ntohl(((struct sockaddr_in *)hostaddr)-> | ||
| 616 | sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; | ||
| 617 | case AF_INET6: | ||
| 618 | return IN6_IS_ADDR_LOOPBACK( | ||
| 619 | &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); | ||
| 620 | default: | ||
| 621 | return 0; | ||
| 622 | } | ||
| 623 | } | ||
| 624 | |||
| 625 | /* | ||
| 626 | * Prepare the hostname and ip address strings that are used to lookup | ||
| 627 | * host keys in known_hosts files. These may have a port number appended. | ||
| 628 | */ | ||
| 629 | void | ||
| 630 | get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr, | ||
| 631 | u_short port, char **hostfile_hostname, char **hostfile_ipaddr) | ||
| 632 | { | ||
| 633 | char ntop[NI_MAXHOST]; | ||
| 634 | socklen_t addrlen; | ||
| 635 | |||
| 636 | switch (hostaddr == NULL ? -1 : hostaddr->sa_family) { | ||
| 637 | case -1: | ||
| 638 | addrlen = 0; | ||
| 639 | break; | ||
| 640 | case AF_INET: | ||
| 641 | addrlen = sizeof(struct sockaddr_in); | ||
| 642 | break; | ||
| 643 | case AF_INET6: | ||
| 644 | addrlen = sizeof(struct sockaddr_in6); | ||
| 645 | break; | ||
| 646 | default: | ||
| 647 | addrlen = sizeof(struct sockaddr); | ||
| 648 | break; | ||
| 649 | } | ||
| 650 | |||
| 651 | /* | ||
| 652 | * We don't have the remote ip-address for connections | ||
| 653 | * using a proxy command | ||
| 654 | */ | ||
| 655 | if (hostfile_ipaddr != NULL) { | ||
| 656 | if (options.proxy_command == NULL) { | ||
| 657 | if (getnameinfo(hostaddr, addrlen, | ||
| 658 | ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) | ||
| 659 | fatal("check_host_key: getnameinfo failed"); | ||
| 660 | *hostfile_ipaddr = put_host_port(ntop, port); | ||
| 661 | } else { | ||
| 662 | *hostfile_ipaddr = xstrdup("<no hostip for proxy " | ||
| 663 | "command>"); | ||
| 664 | } | ||
| 665 | } | ||
| 666 | |||
| 667 | /* | ||
| 668 | * Allow the user to record the key under a different name or | ||
| 669 | * differentiate a non-standard port. This is useful for ssh | ||
| 670 | * tunneling over forwarded connections or if you run multiple | ||
| 671 | * sshd's on different ports on the same machine. | ||
| 672 | */ | ||
| 673 | if (hostfile_hostname != NULL) { | ||
| 674 | if (options.host_key_alias != NULL) { | ||
| 675 | *hostfile_hostname = xstrdup(options.host_key_alias); | ||
| 676 | debug("using hostkeyalias: %s", *hostfile_hostname); | ||
| 677 | } else { | ||
| 678 | *hostfile_hostname = put_host_port(hostname, port); | ||
| 679 | } | ||
| 680 | } | ||
| 681 | } | ||
| 682 | |||
| 610 | /* | 683 | /* |
| 611 | * check whether the supplied host key is valid, return -1 if the key | 684 | * check whether the supplied host key is valid, return -1 if the key |
| 612 | * is not valid. the user_hostfile will not be updated if 'readonly' is true. | 685 | * is not valid. the user_hostfile will not be updated if 'readonly' is true. |
| @@ -616,21 +689,21 @@ check_host_cert(const char *host, const Key *host_key) | |||
| 616 | #define ROQUIET 2 | 689 | #define ROQUIET 2 |
| 617 | static int | 690 | static int |
| 618 | check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 691 | check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
| 619 | Key *host_key, int readonly, const char *user_hostfile, | 692 | Key *host_key, int readonly, char *user_hostfile, |
| 620 | const char *system_hostfile) | 693 | char *system_hostfile) |
| 621 | { | 694 | { |
| 622 | Key *file_key, *raw_key = NULL; | 695 | Key *raw_key = NULL; |
| 623 | const char *type; | 696 | const char *type; |
| 624 | char *ip = NULL, *host = NULL; | 697 | char *ip = NULL, *host = NULL; |
| 625 | char hostline[1000], *hostp, *fp, *ra; | 698 | char hostline[1000], *hostp, *fp, *ra; |
| 626 | HostStatus host_status; | 699 | HostStatus host_status; |
| 627 | HostStatus ip_status; | 700 | HostStatus ip_status; |
| 628 | int r, want_cert, local = 0, host_ip_differ = 0; | 701 | int r, want_cert = key_is_cert(host_key), host_ip_differ = 0; |
| 629 | int salen; | 702 | int local = sockaddr_is_local(hostaddr); |
| 630 | char ntop[NI_MAXHOST]; | ||
| 631 | char msg[1024]; | 703 | char msg[1024]; |
| 632 | int len, host_line, ip_line, cancelled_forwarding = 0; | 704 | int len, cancelled_forwarding = 0; |
| 633 | const char *host_file = NULL, *ip_file = NULL; | 705 | struct hostkeys *host_hostkeys, *ip_hostkeys; |
| 706 | const struct hostkey_entry *host_found, *ip_found; | ||
| 634 | 707 | ||
| 635 | /* | 708 | /* |
| 636 | * Force accepting of the host key for loopback/localhost. The | 709 | * Force accepting of the host key for loopback/localhost. The |
| @@ -640,23 +713,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 640 | * essentially disables host authentication for localhost; however, | 713 | * essentially disables host authentication for localhost; however, |
| 641 | * this is probably not a real problem. | 714 | * this is probably not a real problem. |
| 642 | */ | 715 | */ |
| 643 | /** hostaddr == 0! */ | ||
| 644 | switch (hostaddr->sa_family) { | ||
| 645 | case AF_INET: | ||
| 646 | local = (ntohl(((struct sockaddr_in *)hostaddr)-> | ||
| 647 | sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; | ||
| 648 | salen = sizeof(struct sockaddr_in); | ||
| 649 | break; | ||
| 650 | case AF_INET6: | ||
| 651 | local = IN6_IS_ADDR_LOOPBACK( | ||
| 652 | &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); | ||
| 653 | salen = sizeof(struct sockaddr_in6); | ||
| 654 | break; | ||
| 655 | default: | ||
| 656 | local = 0; | ||
| 657 | salen = sizeof(struct sockaddr_storage); | ||
| 658 | break; | ||
| 659 | } | ||
| 660 | if (options.no_host_authentication_for_localhost == 1 && local && | 716 | if (options.no_host_authentication_for_localhost == 1 && local && |
| 661 | options.host_key_alias == NULL) { | 717 | options.host_key_alias == NULL) { |
| 662 | debug("Forcing accepting of host key for " | 718 | debug("Forcing accepting of host key for " |
| @@ -665,17 +721,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 665 | } | 721 | } |
| 666 | 722 | ||
| 667 | /* | 723 | /* |
| 668 | * We don't have the remote ip-address for connections | 724 | * Prepare the hostname and address strings used for hostkey lookup. |
| 669 | * using a proxy command | 725 | * In some cases, these will have a port number appended. |
| 670 | */ | 726 | */ |
| 671 | if (options.proxy_command == NULL) { | 727 | get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip); |
| 672 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | ||
| 673 | NULL, 0, NI_NUMERICHOST) != 0) | ||
| 674 | fatal("check_host_key: getnameinfo failed"); | ||
| 675 | ip = put_host_port(ntop, port); | ||
| 676 | } else { | ||
| 677 | ip = xstrdup("<no hostip for proxy command>"); | ||
| 678 | } | ||
| 679 | 728 | ||
| 680 | /* | 729 | /* |
| 681 | * Turn off check_host_ip if the connection is to localhost, via proxy | 730 | * Turn off check_host_ip if the connection is to localhost, via proxy |
| @@ -685,74 +734,52 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 685 | strcmp(hostname, ip) == 0 || options.proxy_command != NULL)) | 734 | strcmp(hostname, ip) == 0 || options.proxy_command != NULL)) |
| 686 | options.check_host_ip = 0; | 735 | options.check_host_ip = 0; |
| 687 | 736 | ||
| 688 | /* | 737 | host_hostkeys = init_hostkeys(); |
| 689 | * Allow the user to record the key under a different name or | 738 | load_hostkeys(host_hostkeys, host, user_hostfile); |
| 690 | * differentiate a non-standard port. This is useful for ssh | 739 | load_hostkeys(host_hostkeys, host, system_hostfile); |
| 691 | * tunneling over forwarded connections or if you run multiple | 740 | |
| 692 | * sshd's on different ports on the same machine. | 741 | ip_hostkeys = NULL; |
| 693 | */ | 742 | if (!want_cert && options.check_host_ip) { |
| 694 | if (options.host_key_alias != NULL) { | 743 | ip_hostkeys = init_hostkeys(); |
| 695 | host = xstrdup(options.host_key_alias); | 744 | load_hostkeys(ip_hostkeys, ip, user_hostfile); |
| 696 | debug("using hostkeyalias: %s", host); | 745 | load_hostkeys(ip_hostkeys, ip, system_hostfile); |
| 697 | } else { | ||
| 698 | host = put_host_port(hostname, port); | ||
| 699 | } | 746 | } |
| 700 | 747 | ||
| 701 | retry: | 748 | retry: |
| 749 | /* Reload these as they may have changed on cert->key downgrade */ | ||
| 702 | want_cert = key_is_cert(host_key); | 750 | want_cert = key_is_cert(host_key); |
| 703 | type = key_type(host_key); | 751 | type = key_type(host_key); |
| 704 | 752 | ||
| 705 | /* | 753 | /* |
| 706 | * Store the host key from the known host file in here so that we can | ||
| 707 | * compare it with the key for the IP address. | ||
| 708 | */ | ||
| 709 | file_key = key_new(key_is_cert(host_key) ? KEY_UNSPEC : host_key->type); | ||
| 710 | |||
| 711 | /* | ||
| 712 | * Check if the host key is present in the user's list of known | 754 | * Check if the host key is present in the user's list of known |
| 713 | * hosts or in the systemwide list. | 755 | * hosts or in the systemwide list. |
| 714 | */ | 756 | */ |
| 715 | host_file = user_hostfile; | 757 | host_status = check_key_in_hostkeys(host_hostkeys, host_key, |
| 716 | host_status = check_host_in_hostfile(host_file, host, host_key, | 758 | &host_found); |
| 717 | file_key, &host_line); | 759 | |
| 718 | if (host_status == HOST_NEW) { | ||
| 719 | host_file = system_hostfile; | ||
| 720 | host_status = check_host_in_hostfile(host_file, host, host_key, | ||
| 721 | file_key, &host_line); | ||
| 722 | } | ||
| 723 | /* | 760 | /* |
| 724 | * Also perform check for the ip address, skip the check if we are | 761 | * Also perform check for the ip address, skip the check if we are |
| 725 | * localhost, looking for a certificate, or the hostname was an ip | 762 | * localhost, looking for a certificate, or the hostname was an ip |
| 726 | * address to begin with. | 763 | * address to begin with. |
| 727 | */ | 764 | */ |
| 728 | if (!want_cert && options.check_host_ip) { | 765 | if (!want_cert && ip_hostkeys != NULL) { |
| 729 | Key *ip_key = key_new(host_key->type); | 766 | ip_status = check_key_in_hostkeys(ip_hostkeys, host_key, |
| 730 | 767 | &ip_found); | |
| 731 | ip_file = user_hostfile; | ||
| 732 | ip_status = check_host_in_hostfile(ip_file, ip, host_key, | ||
| 733 | ip_key, &ip_line); | ||
| 734 | if (ip_status == HOST_NEW) { | ||
| 735 | ip_file = system_hostfile; | ||
| 736 | ip_status = check_host_in_hostfile(ip_file, ip, | ||
| 737 | host_key, ip_key, &ip_line); | ||
| 738 | } | ||
| 739 | if (host_status == HOST_CHANGED && | 768 | if (host_status == HOST_CHANGED && |
| 740 | (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key))) | 769 | (ip_status != HOST_CHANGED || |
| 770 | (ip_found != NULL && | ||
| 771 | !key_equal(ip_found->key, host_found->key)))) | ||
| 741 | host_ip_differ = 1; | 772 | host_ip_differ = 1; |
| 742 | |||
| 743 | key_free(ip_key); | ||
| 744 | } else | 773 | } else |
| 745 | ip_status = host_status; | 774 | ip_status = host_status; |
| 746 | 775 | ||
| 747 | key_free(file_key); | ||
| 748 | |||
| 749 | switch (host_status) { | 776 | switch (host_status) { |
| 750 | case HOST_OK: | 777 | case HOST_OK: |
| 751 | /* The host is known and the key matches. */ | 778 | /* The host is known and the key matches. */ |
| 752 | debug("Host '%.200s' is known and matches the %s host %s.", | 779 | debug("Host '%.200s' is known and matches the %s host %s.", |
| 753 | host, type, want_cert ? "certificate" : "key"); | 780 | host, type, want_cert ? "certificate" : "key"); |
| 754 | debug("Found %s in %s:%d", | 781 | debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", |
| 755 | want_cert ? "CA key" : "key", host_file, host_line); | 782 | host_found->file, host_found->line); |
| 756 | if (want_cert && !check_host_cert(hostname, host_key)) | 783 | if (want_cert && !check_host_cert(hostname, host_key)) |
| 757 | goto fail; | 784 | goto fail; |
| 758 | if (options.check_host_ip && ip_status == HOST_NEW) { | 785 | if (options.check_host_ip && ip_status == HOST_NEW) { |
| @@ -803,7 +830,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 803 | } else if (options.strict_host_key_checking == 2) { | 830 | } else if (options.strict_host_key_checking == 2) { |
| 804 | char msg1[1024], msg2[1024]; | 831 | char msg1[1024], msg2[1024]; |
| 805 | 832 | ||
| 806 | if (show_other_keys(host, host_key)) | 833 | if (show_other_keys(host_hostkeys, host_key)) |
| 807 | snprintf(msg1, sizeof(msg1), | 834 | snprintf(msg1, sizeof(msg1), |
| 808 | "\nbut keys of different type are already" | 835 | "\nbut keys of different type are already" |
| 809 | " known for this host."); | 836 | " known for this host."); |
| @@ -844,8 +871,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 844 | * local known_hosts file. | 871 | * local known_hosts file. |
| 845 | */ | 872 | */ |
| 846 | if (options.check_host_ip && ip_status == HOST_NEW) { | 873 | if (options.check_host_ip && ip_status == HOST_NEW) { |
| 847 | snprintf(hostline, sizeof(hostline), "%s,%s", | 874 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); |
| 848 | host, ip); | ||
| 849 | hostp = hostline; | 875 | hostp = hostline; |
| 850 | if (options.hash_known_hosts) { | 876 | if (options.hash_known_hosts) { |
| 851 | /* Add hash of host and IP separately */ | 877 | /* Add hash of host and IP separately */ |
| @@ -899,8 +925,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 899 | * all hosts that one might visit. | 925 | * all hosts that one might visit. |
| 900 | */ | 926 | */ |
| 901 | debug("Host certificate authority does not " | 927 | debug("Host certificate authority does not " |
| 902 | "match %s in %s:%d", CA_MARKER, | 928 | "match %s in %s:%lu", CA_MARKER, |
| 903 | host_file, host_line); | 929 | host_found->file, host_found->line); |
| 904 | goto fail; | 930 | goto fail; |
| 905 | } | 931 | } |
| 906 | if (readonly == ROQUIET) | 932 | if (readonly == ROQUIET) |
| @@ -922,13 +948,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 922 | error("DNS SPOOFING is happening or the IP address for the host"); | 948 | error("DNS SPOOFING is happening or the IP address for the host"); |
| 923 | error("and its host key have changed at the same time."); | 949 | error("and its host key have changed at the same time."); |
| 924 | if (ip_status != HOST_NEW) | 950 | if (ip_status != HOST_NEW) |
| 925 | error("Offending key for IP in %s:%d", ip_file, ip_line); | 951 | error("Offending key for IP in %s:%lu", |
| 952 | ip_found->file, ip_found->line); | ||
| 926 | } | 953 | } |
| 927 | /* The host key has changed. */ | 954 | /* The host key has changed. */ |
| 928 | warn_changed_key(host_key); | 955 | warn_changed_key(host_key); |
| 929 | error("Add correct host key in %.100s to get rid of this message.", | 956 | error("Add correct host key in %.100s to get rid of this message.", |
| 930 | user_hostfile); | 957 | user_hostfile); |
| 931 | error("Offending key in %s:%d", host_file, host_line); | 958 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
| 959 | host_found->file, host_found->line); | ||
| 932 | 960 | ||
| 933 | /* | 961 | /* |
| 934 | * If strict host key checking is in use, the user will have | 962 | * If strict host key checking is in use, the user will have |
| @@ -1013,13 +1041,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 1013 | snprintf(msg, sizeof(msg), | 1041 | snprintf(msg, sizeof(msg), |
| 1014 | "Warning: the %s host key for '%.200s' " | 1042 | "Warning: the %s host key for '%.200s' " |
| 1015 | "differs from the key for the IP address '%.128s'" | 1043 | "differs from the key for the IP address '%.128s'" |
| 1016 | "\nOffending key for IP in %s:%d", | 1044 | "\nOffending key for IP in %s:%lu", |
| 1017 | type, host, ip, ip_file, ip_line); | 1045 | type, host, ip, ip_found->file, ip_found->line); |
| 1018 | if (host_status == HOST_OK) { | 1046 | if (host_status == HOST_OK) { |
| 1019 | len = strlen(msg); | 1047 | len = strlen(msg); |
| 1020 | snprintf(msg + len, sizeof(msg) - len, | 1048 | snprintf(msg + len, sizeof(msg) - len, |
| 1021 | "\nMatching host key in %s:%d", | 1049 | "\nMatching host key in %s:%lu", |
| 1022 | host_file, host_line); | 1050 | host_found->file, host_found->line); |
| 1023 | } | 1051 | } |
| 1024 | if (options.strict_host_key_checking == 1) { | 1052 | if (options.strict_host_key_checking == 1) { |
| 1025 | logit("%s", msg); | 1053 | logit("%s", msg); |
| @@ -1037,6 +1065,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 1037 | 1065 | ||
| 1038 | xfree(ip); | 1066 | xfree(ip); |
| 1039 | xfree(host); | 1067 | xfree(host); |
| 1068 | if (host_hostkeys != NULL) | ||
| 1069 | free_hostkeys(host_hostkeys); | ||
| 1070 | if (ip_hostkeys != NULL) | ||
| 1071 | free_hostkeys(ip_hostkeys); | ||
| 1040 | return 0; | 1072 | return 0; |
| 1041 | 1073 | ||
| 1042 | fail: | 1074 | fail: |
| @@ -1056,6 +1088,10 @@ fail: | |||
| 1056 | key_free(raw_key); | 1088 | key_free(raw_key); |
| 1057 | xfree(ip); | 1089 | xfree(ip); |
| 1058 | xfree(host); | 1090 | xfree(host); |
| 1091 | if (host_hostkeys != NULL) | ||
| 1092 | free_hostkeys(host_hostkeys); | ||
| 1093 | if (ip_hostkeys != NULL) | ||
| 1094 | free_hostkeys(ip_hostkeys); | ||
| 1059 | return -1; | 1095 | return -1; |
| 1060 | } | 1096 | } |
| 1061 | 1097 | ||
| @@ -1065,6 +1101,11 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1065 | { | 1101 | { |
| 1066 | struct stat st; | 1102 | struct stat st; |
| 1067 | int flags = 0; | 1103 | int flags = 0; |
| 1104 | char *fp; | ||
| 1105 | |||
| 1106 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | ||
| 1107 | debug("Server host key: %s %s", key_type(host_key), fp); | ||
| 1108 | xfree(fp); | ||
| 1068 | 1109 | ||
| 1069 | /* XXX certs are not yet supported for DNS */ | 1110 | /* XXX certs are not yet supported for DNS */ |
| 1070 | if (!key_is_cert(host_key) && options.verify_host_key_dns && | 1111 | if (!key_is_cert(host_key) && options.verify_host_key_dns && |
| @@ -1108,7 +1149,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 1108 | */ | 1149 | */ |
| 1109 | void | 1150 | void |
| 1110 | ssh_login(Sensitive *sensitive, const char *orighost, | 1151 | ssh_login(Sensitive *sensitive, const char *orighost, |
| 1111 | struct sockaddr *hostaddr, struct passwd *pw, int timeout_ms) | 1152 | struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms) |
| 1112 | { | 1153 | { |
| 1113 | char *host, *cp; | 1154 | char *host, *cp; |
| 1114 | char *server_user, *local_user; | 1155 | char *server_user, *local_user; |
| @@ -1131,7 +1172,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, | |||
| 1131 | /* key exchange */ | 1172 | /* key exchange */ |
| 1132 | /* authenticate user */ | 1173 | /* authenticate user */ |
| 1133 | if (compat20) { | 1174 | if (compat20) { |
| 1134 | ssh_kex2(host, hostaddr); | 1175 | ssh_kex2(host, hostaddr, port); |
| 1135 | ssh_userauth2(local_user, server_user, host, sensitive); | 1176 | ssh_userauth2(local_user, server_user, host, sensitive); |
| 1136 | } else { | 1177 | } else { |
| 1137 | ssh_kex(host, hostaddr); | 1178 | ssh_kex(host, hostaddr); |
| @@ -1158,61 +1199,35 @@ ssh_put_password(char *password) | |||
| 1158 | xfree(padded); | 1199 | xfree(padded); |
| 1159 | } | 1200 | } |
| 1160 | 1201 | ||
| 1161 | static int | ||
| 1162 | show_key_from_file(const char *file, const char *host, int keytype) | ||
| 1163 | { | ||
| 1164 | Key *found; | ||
| 1165 | char *fp, *ra; | ||
| 1166 | int line, ret; | ||
| 1167 | |||
| 1168 | found = key_new(keytype); | ||
| 1169 | if ((ret = lookup_key_in_hostfile_by_type(file, host, | ||
| 1170 | keytype, found, &line))) { | ||
| 1171 | fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); | ||
| 1172 | ra = key_fingerprint(found, SSH_FP_MD5, SSH_FP_RANDOMART); | ||
| 1173 | logit("WARNING: %s key found for host %s\n" | ||
| 1174 | "in %s:%d\n" | ||
| 1175 | "%s key fingerprint %s.\n%s\n", | ||
| 1176 | key_type(found), host, file, line, | ||
| 1177 | key_type(found), fp, ra); | ||
| 1178 | xfree(ra); | ||
| 1179 | xfree(fp); | ||
| 1180 | } | ||
| 1181 | key_free(found); | ||
| 1182 | return (ret); | ||
| 1183 | } | ||
| 1184 | |||
| 1185 | /* print all known host keys for a given host, but skip keys of given type */ | 1202 | /* print all known host keys for a given host, but skip keys of given type */ |
| 1186 | static int | 1203 | static int |
| 1187 | show_other_keys(const char *host, Key *key) | 1204 | show_other_keys(struct hostkeys *hostkeys, Key *key) |
| 1188 | { | 1205 | { |
| 1189 | int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, -1}; | 1206 | int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_ECDSA, -1}; |
| 1190 | int i, found = 0; | 1207 | int i, ret = 0; |
| 1208 | char *fp, *ra; | ||
| 1209 | const struct hostkey_entry *found; | ||
| 1191 | 1210 | ||
| 1192 | for (i = 0; type[i] != -1; i++) { | 1211 | for (i = 0; type[i] != -1; i++) { |
| 1193 | if (type[i] == key->type) | 1212 | if (type[i] == key->type) |
| 1194 | continue; | 1213 | continue; |
| 1195 | if (type[i] != KEY_RSA1 && | 1214 | if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) |
| 1196 | show_key_from_file(options.user_hostfile2, host, type[i])) { | ||
| 1197 | found = 1; | ||
| 1198 | continue; | ||
| 1199 | } | ||
| 1200 | if (type[i] != KEY_RSA1 && | ||
| 1201 | show_key_from_file(options.system_hostfile2, host, type[i])) { | ||
| 1202 | found = 1; | ||
| 1203 | continue; | ||
| 1204 | } | ||
| 1205 | if (show_key_from_file(options.user_hostfile, host, type[i])) { | ||
| 1206 | found = 1; | ||
| 1207 | continue; | 1215 | continue; |
| 1208 | } | 1216 | fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); |
| 1209 | if (show_key_from_file(options.system_hostfile, host, type[i])) { | 1217 | ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); |
| 1210 | found = 1; | 1218 | logit("WARNING: %s key found for host %s\n" |
| 1211 | continue; | 1219 | "in %s:%lu\n" |
| 1212 | } | 1220 | "%s key fingerprint %s.", |
| 1213 | debug2("no key of type %d for host %s", type[i], host); | 1221 | key_type(found->key), |
| 1222 | found->host, found->file, found->line, | ||
| 1223 | key_type(found->key), fp); | ||
| 1224 | if (options.visual_host_key) | ||
| 1225 | logit("%s", ra); | ||
| 1226 | xfree(ra); | ||
| 1227 | xfree(fp); | ||
| 1228 | ret = 1; | ||
| 1214 | } | 1229 | } |
| 1215 | return (found); | 1230 | return ret; |
| 1216 | } | 1231 | } |
| 1217 | 1232 | ||
| 1218 | static void | 1233 | static void |