diff options
-rw-r--r-- | ChangeLog | 12 | ||||
-rw-r--r-- | packet.c | 8 | ||||
-rw-r--r-- | sshconnect.c | 96 |
3 files changed, 68 insertions, 48 deletions
@@ -1,3 +1,15 @@ | |||
1 | 20010103 | ||
2 | - (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD | ||
3 | tree (mainly positioning) | ||
4 | - (bal) OpenSSH CVS Update | ||
5 | - markus@cvs.openbsd.org 2001/01/02 20:41:02 | ||
6 | [packet.c] | ||
7 | log remote ip on disconnect; PR 1600 from jcs@rt.fm | ||
8 | - markus@cvs.openbsd.org 2001/01/02 20:50:56 | ||
9 | [sshconnect.c] | ||
10 | strict_host_key_checking for host_status != HOST_CHANGED && | ||
11 | ip_status == HOST_CHANGED | ||
12 | |||
1 | 20010102 | 13 | 20010102 |
2 | - (bal) OpenBSD CVS Update | 14 | - (bal) OpenBSD CVS Update |
3 | - markus@cvs.openbsd.org 2001/01/01 14:52:49 | 15 | - markus@cvs.openbsd.org 2001/01/01 14:52:49 |
@@ -37,7 +37,7 @@ | |||
37 | */ | 37 | */ |
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | RCSID("$OpenBSD: packet.c,v 1.40 2000/12/19 23:17:57 markus Exp $"); | 40 | RCSID("$OpenBSD: packet.c,v 1.41 2001/01/02 20:41:02 markus Exp $"); |
41 | 41 | ||
42 | #include "xmalloc.h" | 42 | #include "xmalloc.h" |
43 | #include "buffer.h" | 43 | #include "buffer.h" |
@@ -979,7 +979,8 @@ packet_read_poll(int *payload_len_ptr) | |||
979 | case SSH2_MSG_DISCONNECT: | 979 | case SSH2_MSG_DISCONNECT: |
980 | reason = packet_get_int(); | 980 | reason = packet_get_int(); |
981 | msg = packet_get_string(NULL); | 981 | msg = packet_get_string(NULL); |
982 | log("Received disconnect: %d: %.900s", reason, msg); | 982 | log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(), |
983 | reason, msg); | ||
983 | xfree(msg); | 984 | xfree(msg); |
984 | fatal_cleanup(); | 985 | fatal_cleanup(); |
985 | break; | 986 | break; |
@@ -998,7 +999,8 @@ packet_read_poll(int *payload_len_ptr) | |||
998 | break; | 999 | break; |
999 | case SSH_MSG_DISCONNECT: | 1000 | case SSH_MSG_DISCONNECT: |
1000 | msg = packet_get_string(NULL); | 1001 | msg = packet_get_string(NULL); |
1001 | log("Received disconnect: %.900s", msg); | 1002 | log("Received disconnect from %s: %.400s", get_remote_ipaddr(), |
1003 | msg); | ||
1002 | fatal_cleanup(); | 1004 | fatal_cleanup(); |
1003 | xfree(msg); | 1005 | xfree(msg); |
1004 | break; | 1006 | break; |
diff --git a/sshconnect.c b/sshconnect.c index 22e691424..2102bef6f 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -13,7 +13,7 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect.c,v 1.87 2000/12/28 14:25:03 markus Exp $"); | 16 | RCSID("$OpenBSD: sshconnect.c,v 1.88 2001/01/02 20:50:56 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
@@ -417,7 +417,7 @@ read_yes_or_no(const char *prompt, int defval) | |||
417 | FILE *f; | 417 | FILE *f; |
418 | int retval = -1; | 418 | int retval = -1; |
419 | 419 | ||
420 | if (isatty(0)) | 420 | if (isatty(STDIN_FILENO)) |
421 | f = stdin; | 421 | f = stdin; |
422 | else | 422 | else |
423 | f = fopen("/dev/tty", "rw"); | 423 | f = fopen("/dev/tty", "rw"); |
@@ -472,7 +472,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
472 | int local = 0, host_ip_differ = 0; | 472 | int local = 0, host_ip_differ = 0; |
473 | int salen; | 473 | int salen; |
474 | char ntop[NI_MAXHOST]; | 474 | char ntop[NI_MAXHOST]; |
475 | int host_line = -1, ip_line = -1; | 475 | int host_line, ip_line; |
476 | const char *host_file = NULL, *ip_file = NULL; | 476 | const char *host_file = NULL, *ip_file = NULL; |
477 | 477 | ||
478 | /* | 478 | /* |
@@ -498,38 +498,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
498 | salen = sizeof(struct sockaddr_storage); | 498 | salen = sizeof(struct sockaddr_storage); |
499 | break; | 499 | break; |
500 | } | 500 | } |
501 | if (local) { | 501 | if (local && options.host_key_alias == NULL) { |
502 | if (options.host_key_alias == NULL) { | 502 | debug("Forcing accepting of host key for " |
503 | debug("Forcing accepting of host key for " | 503 | "loopback/localhost."); |
504 | "loopback/localhost."); | 504 | return; |
505 | return; | ||
506 | } | ||
507 | if (options.check_host_ip) | ||
508 | options.check_host_ip = 0; | ||
509 | } | 505 | } |
510 | 506 | ||
511 | /* | 507 | /* |
512 | * Turn off check_host_ip for proxy connects, since | 508 | * We don't have the remote ip-address for connections |
513 | * we don't have the remote ip-address | 509 | * using a proxy command |
510 | */ | ||
511 | if (options.proxy_command == NULL) { | ||
512 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | ||
513 | NULL, 0, NI_NUMERICHOST) != 0) | ||
514 | fatal("check_host_key: getnameinfo failed"); | ||
515 | ip = xstrdup(ntop); | ||
516 | } else { | ||
517 | ip = xstrdup("<no hostip for proxy command>"); | ||
518 | } | ||
519 | /* | ||
520 | * Turn off check_host_ip if the connection is to localhost, via proxy | ||
521 | * command or if we don't have a hostname to compare with | ||
514 | */ | 522 | */ |
515 | if (options.proxy_command != NULL && options.check_host_ip) | 523 | if (options.check_host_ip && |
524 | (local || strcmp(host, ip) == 0 || options.proxy_command != NULL)) | ||
516 | options.check_host_ip = 0; | 525 | options.check_host_ip = 0; |
517 | 526 | ||
518 | |||
519 | |||
520 | if (options.proxy_command == NULL) { | ||
521 | if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), | ||
522 | NULL, 0, NI_NUMERICHOST) != 0) | ||
523 | fatal("check_host_key: getnameinfo failed"); | ||
524 | ip = xstrdup(ntop); | ||
525 | } else { | ||
526 | ip = xstrdup("<no hostip for proxy command>"); | ||
527 | } | ||
528 | |||
529 | /* | 527 | /* |
530 | * Allow the user to record the key under a different name. This is | 528 | * Allow the user to record the key under a different name. This is |
531 | * useful for ssh tunneling over forwarded connections or if you run | 529 | * useful for ssh tunneling over forwarded connections or if you run |
532 | * multiple sshd's on different ports on the same machine. | 530 | * multiple sshd's on different ports on the same machine. |
533 | */ | 531 | */ |
534 | if (options.host_key_alias != NULL) { | 532 | if (options.host_key_alias != NULL) { |
535 | host = options.host_key_alias; | 533 | host = options.host_key_alias; |
@@ -556,7 +554,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
556 | * Also perform check for the ip address, skip the check if we are | 554 | * Also perform check for the ip address, skip the check if we are |
557 | * localhost or the hostname was an ip address to begin with | 555 | * localhost or the hostname was an ip address to begin with |
558 | */ | 556 | */ |
559 | if (options.check_host_ip && !local && strcmp(host, ip)) { | 557 | if (options.check_host_ip) { |
560 | Key *ip_key = key_new(host_key->type); | 558 | Key *ip_key = key_new(host_key->type); |
561 | 559 | ||
562 | ip_file = user_hostfile; | 560 | ip_file = user_hostfile; |
@@ -581,21 +579,13 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
581 | debug("Host '%.200s' is known and matches the %s host key.", | 579 | debug("Host '%.200s' is known and matches the %s host key.", |
582 | host, type); | 580 | host, type); |
583 | debug("Found key in %s:%d", host_file, host_line); | 581 | debug("Found key in %s:%d", host_file, host_line); |
584 | if (options.check_host_ip) { | 582 | if (options.check_host_ip && ip_status == HOST_NEW) { |
585 | if (ip_status == HOST_NEW) { | 583 | if (!add_host_to_hostfile(user_hostfile, ip, host_key)) |
586 | if (!add_host_to_hostfile(user_hostfile, ip, host_key)) | 584 | log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", |
587 | log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", | 585 | type, ip, user_hostfile); |
588 | type, ip, user_hostfile); | 586 | else |
589 | else | 587 | log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", |
590 | log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", | 588 | type, ip); |
591 | type, ip); | ||
592 | } else if (ip_status != HOST_OK) { | ||
593 | log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'", | ||
594 | type, host, ip); | ||
595 | log("Found key in %s:%d", host_file, host_line); | ||
596 | if (ip_line != -1) | ||
597 | log("Offending key for IP in %s:%d", ip_file, ip_line); | ||
598 | } | ||
599 | } | 589 | } |
600 | break; | 590 | break; |
601 | case HOST_NEW: | 591 | case HOST_NEW: |
@@ -615,7 +605,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
615 | if (!read_yes_or_no(prompt, -1)) | 605 | if (!read_yes_or_no(prompt, -1)) |
616 | fatal("Aborted by user!\n"); | 606 | fatal("Aborted by user!\n"); |
617 | } | 607 | } |
618 | if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) { | 608 | if (options.check_host_ip && ip_status == HOST_NEW) { |
619 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); | 609 | snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); |
620 | hostp = hostline; | 610 | hostp = hostline; |
621 | } else | 611 | } else |
@@ -646,7 +636,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
646 | error("%s. This could either mean that", msg); | 636 | error("%s. This could either mean that", msg); |
647 | error("DNS SPOOFING is happening or the IP address for the host"); | 637 | error("DNS SPOOFING is happening or the IP address for the host"); |
648 | error("and its host key have changed at the same time."); | 638 | error("and its host key have changed at the same time."); |
649 | if (ip_line != -1) | 639 | if (ip_status != HOST_NEW) |
650 | error("Offending key for IP in %s:%d", ip_file, ip_line); | 640 | error("Offending key for IP in %s:%d", ip_file, ip_line); |
651 | } | 641 | } |
652 | /* The host key has changed. */ | 642 | /* The host key has changed. */ |
@@ -701,6 +691,22 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, | |||
701 | break; | 691 | break; |
702 | } | 692 | } |
703 | 693 | ||
694 | if (options.check_host_ip && host_status != HOST_CHANGED && | ||
695 | ip_status == HOST_CHANGED) { | ||
696 | log("Warning: the %s host key for '%.200s' " | ||
697 | "differs from the key for the IP address '%.30s'", | ||
698 | type, host, ip); | ||
699 | if (host_status == HOST_OK) | ||
700 | log("Matching host key in %s:%d", host_file, host_line); | ||
701 | log("Offending key for IP in %s:%d", ip_file, ip_line); | ||
702 | if (options.strict_host_key_checking == 1) { | ||
703 | fatal("Exiting, you have requested strict checking."); | ||
704 | } else if (options.strict_host_key_checking == 2) { | ||
705 | if (!read_yes_or_no("Continue?", -1)) | ||
706 | fatal("Aborted by user!\n"); | ||
707 | } | ||
708 | } | ||
709 | |||
704 | xfree(ip); | 710 | xfree(ip); |
705 | } | 711 | } |
706 | 712 | ||