summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog9
-rw-r--r--sshconnect.c9
2 files changed, 15 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index d3077fbda..1d718224c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
120060805
2 - (djm) OpenBSD CVS Sync
3 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
4 [sshconnect.c]
5 disable tunnel forwarding when no strict host key checking
6 and key changed; ok djm@ markus@ dtucker@
7
120060804 820060804
2 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent 9 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
3 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program 10 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
@@ -5067,4 +5074,4 @@
5067 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 5074 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
5068 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 5075 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
5069 5076
5070$Id: ChangeLog,v 1.4441 2006/08/04 09:44:23 dtucker Exp $ 5077$Id: ChangeLog,v 1.4442 2006/08/04 23:11:13 djm Exp $
diff --git a/sshconnect.c b/sshconnect.c
index 21c5203c6..06844eb71 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.193 2006/07/22 20:48:23 stevesk Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.194 2006/07/24 13:58:22 stevesk Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -782,7 +782,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
782 /* 782 /*
783 * If strict host key checking has not been requested, allow 783 * If strict host key checking has not been requested, allow
784 * the connection but without MITM-able authentication or 784 * the connection but without MITM-able authentication or
785 * agent forwarding. 785 * forwarding.
786 */ 786 */
787 if (options.password_authentication) { 787 if (options.password_authentication) {
788 error("Password authentication is disabled to avoid " 788 error("Password authentication is disabled to avoid "
@@ -817,6 +817,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
817 options.num_local_forwards = 817 options.num_local_forwards =
818 options.num_remote_forwards = 0; 818 options.num_remote_forwards = 0;
819 } 819 }
820 if (options.tun_open != SSH_TUNMODE_NO) {
821 error("Tunnel forwarding is disabled to avoid "
822 "man-in-the-middle attacks.");
823 options.tun_open = SSH_TUNMODE_NO;
824 }
820 /* 825 /*
821 * XXX Should permit the user to change to use the new id. 826 * XXX Should permit the user to change to use the new id.
822 * This could be done by converting the host key to an 827 * This could be done by converting the host key to an