diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | sshconnect.c | 42 |
2 files changed, 38 insertions, 9 deletions
| @@ -12,6 +12,9 @@ | |||
| 12 | - deraadt@cvs.openbsd.org 2003/06/10 22:20:52 | 12 | - deraadt@cvs.openbsd.org 2003/06/10 22:20:52 |
| 13 | [packet.c progressmeter.c] | 13 | [packet.c progressmeter.c] |
| 14 | mostly ansi cleanup; pval ok | 14 | mostly ansi cleanup; pval ok |
| 15 | - jakob@cvs.openbsd.org 2003/06/11 10:16:16 | ||
| 16 | [sshconnect.c] | ||
| 17 | clean up check_host_key() and improve SSHFP feedback. ok markus@ | ||
| 15 | 18 | ||
| 16 | 19 | ||
| 17 | 20030609 | 20 | 20030609 |
| @@ -496,4 +499,4 @@ | |||
| 496 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 499 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 497 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 500 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 498 | 501 | ||
| 499 | $Id: ChangeLog,v 1.2794 2003/06/11 12:05:06 djm Exp $ | 502 | $Id: ChangeLog,v 1.2795 2003/06/11 12:05:25 djm Exp $ |
diff --git a/sshconnect.c b/sshconnect.c index b8a77a2a3..82f5539c1 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -13,7 +13,7 @@ | |||
| 13 | */ | 13 | */ |
| 14 | 14 | ||
| 15 | #include "includes.h" | 15 | #include "includes.h" |
| 16 | RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.145 2003/06/11 10:16:16 jakob Exp $"); |
| 17 | 17 | ||
| 18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
| 19 | 19 | ||
| @@ -40,6 +40,10 @@ RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); | |||
| 40 | char *client_version_string = NULL; | 40 | char *client_version_string = NULL; |
| 41 | char *server_version_string = NULL; | 41 | char *server_version_string = NULL; |
| 42 | 42 | ||
| 43 | #ifdef DNS | ||
| 44 | int verified_host_key_dns = 0; | ||
| 45 | #endif | ||
| 46 | |||
| 43 | /* import */ | 47 | /* import */ |
| 44 | extern Options options; | 48 | extern Options options; |
| 45 | extern char *__progname; | 49 | extern char *__progname; |
| @@ -570,7 +574,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 570 | int salen; | 574 | int salen; |
| 571 | char ntop[NI_MAXHOST]; | 575 | char ntop[NI_MAXHOST]; |
| 572 | char msg[1024]; | 576 | char msg[1024]; |
| 573 | int len, host_line, ip_line, has_keys; | 577 | int len, host_line, ip_line; |
| 574 | const char *host_file = NULL, *ip_file = NULL; | 578 | const char *host_file = NULL, *ip_file = NULL; |
| 575 | 579 | ||
| 576 | /* | 580 | /* |
| @@ -714,19 +718,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
| 714 | "have requested strict checking.", type, host); | 718 | "have requested strict checking.", type, host); |
| 715 | goto fail; | 719 | goto fail; |
| 716 | } else if (options.strict_host_key_checking == 2) { | 720 | } else if (options.strict_host_key_checking == 2) { |
| 717 | has_keys = show_other_keys(host, host_key); | 721 | char msg1[1024], msg2[1024]; |
| 722 | |||
| 723 | if (show_other_keys(host, host_key)) | ||
| 724 | snprintf(msg1, sizeof(msg1), | ||
| 725 | "\nbut keys of different type are already" | ||
| 726 | " known for this host."); | ||
| 727 | else | ||
| 728 | snprintf(msg1, sizeof(msg1), "."); | ||
| 718 | /* The default */ | 729 | /* The default */ |
| 719 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | 730 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
| 731 | msg2[0] = '\0'; | ||
| 732 | #ifdef DNS | ||
| 733 | if (options.verify_host_key_dns) { | ||
| 734 | if (verified_host_key_dns) | ||
| 735 | snprintf(msg2, sizeof(msg2), | ||
| 736 | "Matching host key fingerprint" | ||
| 737 | " found in DNS.\n"); | ||
| 738 | else | ||
| 739 | snprintf(msg2, sizeof(msg2), | ||
| 740 | "No matching host key fingerprint" | ||
| 741 | " found in DNS.\n"); | ||
| 742 | } | ||
| 743 | #endif | ||
| 720 | snprintf(msg, sizeof(msg), | 744 | snprintf(msg, sizeof(msg), |
| 721 | "The authenticity of host '%.200s (%s)' can't be " | 745 | "The authenticity of host '%.200s (%s)' can't be " |
| 722 | "established%s\n" | 746 | "established%s\n" |
| 723 | "%s key fingerprint is %s.\n" | 747 | "%s key fingerprint is %s.\n%s" |
| 724 | "Are you sure you want to continue connecting " | 748 | "Are you sure you want to continue connecting " |
| 725 | "(yes/no)? ", | 749 | "(yes/no)? ", |
| 726 | host, ip, | 750 | host, ip, msg1, type, fp, msg2); |
| 727 | has_keys ? ",\nbut keys of different type are already " | ||
| 728 | "known for this host." : ".", | ||
| 729 | type, fp); | ||
| 730 | xfree(fp); | 751 | xfree(fp); |
| 731 | if (!confirm(msg)) | 752 | if (!confirm(msg)) |
| 732 | goto fail; | 753 | goto fail; |
| @@ -890,7 +911,12 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | |||
| 890 | if (options.verify_host_key_dns) { | 911 | if (options.verify_host_key_dns) { |
| 891 | switch(verify_host_key_dns(host, hostaddr, host_key)) { | 912 | switch(verify_host_key_dns(host, hostaddr, host_key)) { |
| 892 | case DNS_VERIFY_OK: | 913 | case DNS_VERIFY_OK: |
| 914 | #ifdef DNSSEC | ||
| 893 | return 0; | 915 | return 0; |
| 916 | #else | ||
| 917 | verified_host_key_dns = 1; | ||
| 918 | break; | ||
| 919 | #endif | ||
| 894 | case DNS_VERIFY_FAILED: | 920 | case DNS_VERIFY_FAILED: |
| 895 | return -1; | 921 | return -1; |
| 896 | case DNS_VERIFY_ERROR: | 922 | case DNS_VERIFY_ERROR: |