diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | sshconnect.c | 15 |
2 files changed, 20 insertions, 3 deletions
@@ -5,6 +5,12 @@ | |||
5 | Patch from larsch@trustcenter.de; ok markus@ | 5 | Patch from larsch@trustcenter.de; ok markus@ |
6 | - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from | 6 | - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from |
7 | larsch@trustcenter.de; ok markus@ | 7 | larsch@trustcenter.de; ok markus@ |
8 | - (djm) OpenBSD CVS Sync | ||
9 | - djm@cvs.openbsd.org 2003/06/04 08:25:18 | ||
10 | [sshconnect.c] | ||
11 | disable challenge/response and keyboard-interactive auth methods | ||
12 | upon hostkey mismatch. based on patch from fcusack AT fcusack.com. | ||
13 | bz #580; ok markus@ | ||
8 | 14 | ||
9 | 20030603 | 15 | 20030603 |
10 | - (djm) Replace setproctitle replacement with code derived from | 16 | - (djm) Replace setproctitle replacement with code derived from |
@@ -433,4 +439,4 @@ | |||
433 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 439 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
434 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 440 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
435 | 441 | ||
436 | $Id: ChangeLog,v 1.2773 2003/06/04 09:22:06 djm Exp $ | 442 | $Id: ChangeLog,v 1.2774 2003/06/04 10:31:53 djm Exp $ |
diff --git a/sshconnect.c b/sshconnect.c index 0ff4b2bcc..b8a77a2a3 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | 19 | ||
@@ -796,7 +796,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
796 | 796 | ||
797 | /* | 797 | /* |
798 | * If strict host key checking has not been requested, allow | 798 | * If strict host key checking has not been requested, allow |
799 | * the connection but without password authentication or | 799 | * the connection but without MITM-able authentication or |
800 | * agent forwarding. | 800 | * agent forwarding. |
801 | */ | 801 | */ |
802 | if (options.password_authentication) { | 802 | if (options.password_authentication) { |
@@ -804,6 +804,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
804 | "man-in-the-middle attacks."); | 804 | "man-in-the-middle attacks."); |
805 | options.password_authentication = 0; | 805 | options.password_authentication = 0; |
806 | } | 806 | } |
807 | if (options.kbd_interactive_authentication) { | ||
808 | error("Keyboard-interactive authentication is disabled" | ||
809 | " to avoid man-in-the-middle attacks."); | ||
810 | options.kbd_interactive_authentication = 0; | ||
811 | options.challenge_response_authentication = 0; | ||
812 | } | ||
813 | if (options.challenge_response_authentication) { | ||
814 | error("Challenge/response authentication is disabled" | ||
815 | " to avoid man-in-the-middle attacks."); | ||
816 | options.challenge_response_authentication = 0; | ||
817 | } | ||
807 | if (options.forward_agent) { | 818 | if (options.forward_agent) { |
808 | error("Agent forwarding is disabled to avoid " | 819 | error("Agent forwarding is disabled to avoid " |
809 | "man-in-the-middle attacks."); | 820 | "man-in-the-middle attacks."); |