diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | sshconnect.c | 9 |
2 files changed, 15 insertions, 3 deletions
| @@ -1,3 +1,10 @@ | |||
| 1 | 20060805 | ||
| 2 | - (djm) OpenBSD CVS Sync | ||
| 3 | - stevesk@cvs.openbsd.org 2006/07/24 13:58:22 | ||
| 4 | [sshconnect.c] | ||
| 5 | disable tunnel forwarding when no strict host key checking | ||
| 6 | and key changed; ok djm@ markus@ dtucker@ | ||
| 7 | |||
| 1 | 20060804 | 8 | 20060804 |
| 2 | - (dtucker) [configure.ac] The "crippled AES" test does not work on recent | 9 | - (dtucker) [configure.ac] The "crippled AES" test does not work on recent |
| 3 | versions of Solaris, so use AC_LINK_IFELSE to actually link the test program | 10 | versions of Solaris, so use AC_LINK_IFELSE to actually link the test program |
| @@ -5067,4 +5074,4 @@ | |||
| 5067 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 5074 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 5068 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 5075 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 5069 | 5076 | ||
| 5070 | $Id: ChangeLog,v 1.4441 2006/08/04 09:44:23 dtucker Exp $ | 5077 | $Id: ChangeLog,v 1.4442 2006/08/04 23:11:13 djm Exp $ |
diff --git a/sshconnect.c b/sshconnect.c index 21c5203c6..06844eb71 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.193 2006/07/22 20:48:23 stevesk Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.194 2006/07/24 13:58:22 stevesk Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -782,7 +782,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, | |||
| 782 | /* | 782 | /* |
| 783 | * If strict host key checking has not been requested, allow | 783 | * If strict host key checking has not been requested, allow |
| 784 | * the connection but without MITM-able authentication or | 784 | * the connection but without MITM-able authentication or |
| 785 | * agent forwarding. | 785 | * forwarding. |
| 786 | */ | 786 | */ |
| 787 | if (options.password_authentication) { | 787 | if (options.password_authentication) { |
| 788 | error("Password authentication is disabled to avoid " | 788 | error("Password authentication is disabled to avoid " |
| @@ -817,6 +817,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, | |||
| 817 | options.num_local_forwards = | 817 | options.num_local_forwards = |
| 818 | options.num_remote_forwards = 0; | 818 | options.num_remote_forwards = 0; |
| 819 | } | 819 | } |
| 820 | if (options.tun_open != SSH_TUNMODE_NO) { | ||
| 821 | error("Tunnel forwarding is disabled to avoid " | ||
| 822 | "man-in-the-middle attacks."); | ||
| 823 | options.tun_open = SSH_TUNMODE_NO; | ||
| 824 | } | ||
| 820 | /* | 825 | /* |
| 821 | * XXX Should permit the user to change to use the new id. | 826 | * XXX Should permit the user to change to use the new id. |
| 822 | * This could be done by converting the host key to an | 827 | * This could be done by converting the host key to an |