summaryrefslogtreecommitdiff
path: root/sshconnect.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshconnect.c')
-rw-r--r--sshconnect.c75
1 files changed, 65 insertions, 10 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 17fbe39b0..356ec79f0 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.263 2015/08/20 22:32:42 deraadt Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.271 2016/01/14 22:56:56 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -59,12 +59,12 @@
59#include "readconf.h" 59#include "readconf.h"
60#include "atomicio.h" 60#include "atomicio.h"
61#include "dns.h" 61#include "dns.h"
62#include "roaming.h"
63#include "monitor_fdpass.h" 62#include "monitor_fdpass.h"
64#include "ssh2.h" 63#include "ssh2.h"
65#include "version.h" 64#include "version.h"
66#include "authfile.h" 65#include "authfile.h"
67#include "ssherr.h" 66#include "ssherr.h"
67#include "authfd.h"
68 68
69char *client_version_string = NULL; 69char *client_version_string = NULL;
70char *server_version_string = NULL; 70char *server_version_string = NULL;
@@ -167,6 +167,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port,
167 167
168 if ((sock = mm_receive_fd(sp[1])) == -1) 168 if ((sock = mm_receive_fd(sp[1])) == -1)
169 fatal("proxy dialer did not pass back a connection"); 169 fatal("proxy dialer did not pass back a connection");
170 close(sp[1]);
170 171
171 while (waitpid(pid, NULL, 0) == -1) 172 while (waitpid(pid, NULL, 0) == -1)
172 if (errno != EINTR) 173 if (errno != EINTR)
@@ -432,7 +433,9 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
432 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 433 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
433 struct addrinfo *ai; 434 struct addrinfo *ai;
434 435
435 debug2("ssh_connect: needpriv %d", needpriv); 436 debug2("%s: needpriv %d", __func__, needpriv);
437 memset(ntop, 0, sizeof(ntop));
438 memset(strport, 0, sizeof(strport));
436 439
437 for (attempt = 0; attempt < connection_attempts; attempt++) { 440 for (attempt = 0; attempt < connection_attempts; attempt++) {
438 if (attempt > 0) { 441 if (attempt > 0) {
@@ -451,7 +454,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
451 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, 454 if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
452 ntop, sizeof(ntop), strport, sizeof(strport), 455 ntop, sizeof(ntop), strport, sizeof(strport),
453 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 456 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
454 error("ssh_connect: getnameinfo failed"); 457 error("%s: getnameinfo failed", __func__);
455 continue; 458 continue;
456 } 459 }
457 debug("Connecting to %.200s [%.100s] port %s.", 460 debug("Connecting to %.200s [%.100s] port %s.",
@@ -529,7 +532,7 @@ send_client_banner(int connection_out, int minor1)
529 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", 532 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
530 PROTOCOL_MAJOR_1, minor1, SSH_VERSION); 533 PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
531 } 534 }
532 if (roaming_atomicio(vwrite, connection_out, client_version_string, 535 if (atomicio(vwrite, connection_out, client_version_string,
533 strlen(client_version_string)) != strlen(client_version_string)) 536 strlen(client_version_string)) != strlen(client_version_string))
534 fatal("write: %.100s", strerror(errno)); 537 fatal("write: %.100s", strerror(errno));
535 chop(client_version_string); 538 chop(client_version_string);
@@ -589,7 +592,7 @@ ssh_exchange_identification(int timeout_ms)
589 } 592 }
590 } 593 }
591 594
592 len = roaming_atomicio(read, connection_in, &buf[i], 1); 595 len = atomicio(read, connection_in, &buf[i], 1);
593 596
594 if (len != 1 && errno == EPIPE) 597 if (len != 1 && errno == EPIPE)
595 fatal("ssh_exchange_identification: " 598 fatal("ssh_exchange_identification: "
@@ -925,7 +928,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
925 options.fingerprint_hash, SSH_FP_RANDOMART); 928 options.fingerprint_hash, SSH_FP_RANDOMART);
926 if (fp == NULL || ra == NULL) 929 if (fp == NULL || ra == NULL)
927 fatal("%s: sshkey_fingerprint fail", __func__); 930 fatal("%s: sshkey_fingerprint fail", __func__);
928 logit("Host key fingerprint is %s\n%s\n", fp, ra); 931 logit("Host key fingerprint is %s\n%s", fp, ra);
929 free(ra); 932 free(ra);
930 free(fp); 933 free(fp);
931 } 934 }
@@ -1236,8 +1239,9 @@ fail:
1236int 1239int
1237verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) 1240verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1238{ 1241{
1242 u_int i;
1239 int r = -1, flags = 0; 1243 int r = -1, flags = 0;
1240 char *fp = NULL; 1244 char valid[64], *fp = NULL, *cafp = NULL;
1241 struct sshkey *plain = NULL; 1245 struct sshkey *plain = NULL;
1242 1246
1243 if ((fp = sshkey_fingerprint(host_key, 1247 if ((fp = sshkey_fingerprint(host_key,
@@ -1247,8 +1251,31 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1247 goto out; 1251 goto out;
1248 } 1252 }
1249 1253
1250 debug("Server host key: %s %s", 1254 if (sshkey_is_cert(host_key)) {
1251 compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp); 1255 if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
1256 options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1257 error("%s: fingerprint CA key: %s",
1258 __func__, ssh_err(r));
1259 r = -1;
1260 goto out;
1261 }
1262 sshkey_format_cert_validity(host_key->cert,
1263 valid, sizeof(valid));
1264 debug("Server host certificate: %s %s, serial %llu "
1265 "ID \"%s\" CA %s %s valid %s",
1266 sshkey_ssh_name(host_key), fp,
1267 (unsigned long long)host_key->cert->serial,
1268 host_key->cert->key_id,
1269 sshkey_ssh_name(host_key->cert->signature_key), cafp,
1270 valid);
1271 for (i = 0; i < host_key->cert->nprincipals; i++) {
1272 debug2("Server host certificate hostname: %s",
1273 host_key->cert->principals[i]);
1274 }
1275 } else {
1276 debug("Server host key: %s %s", compat20 ?
1277 sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
1278 }
1252 1279
1253 if (sshkey_equal(previous_host_key, host_key)) { 1280 if (sshkey_equal(previous_host_key, host_key)) {
1254 debug2("%s: server host key %s %s matches cached key", 1281 debug2("%s: server host key %s %s matches cached key",
@@ -1313,6 +1340,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1313out: 1340out:
1314 sshkey_free(plain); 1341 sshkey_free(plain);
1315 free(fp); 1342 free(fp);
1343 free(cafp);
1316 if (r == 0 && host_key != NULL) { 1344 if (r == 0 && host_key != NULL) {
1317 key_free(previous_host_key); 1345 key_free(previous_host_key);
1318 previous_host_key = key_from_private(host_key); 1346 previous_host_key = key_from_private(host_key);
@@ -1487,3 +1515,30 @@ ssh_local_cmd(const char *args)
1487 1515
1488 return (WEXITSTATUS(status)); 1516 return (WEXITSTATUS(status));
1489} 1517}
1518
1519void
1520maybe_add_key_to_agent(char *authfile, Key *private, char *comment,
1521 char *passphrase)
1522{
1523 int auth_sock = -1, r;
1524
1525 if (options.add_keys_to_agent == 0)
1526 return;
1527
1528 if ((r = ssh_get_authentication_socket(&auth_sock)) != 0) {
1529 debug3("no authentication agent, not adding key");
1530 return;
1531 }
1532
1533 if (options.add_keys_to_agent == 2 &&
1534 !ask_permission("Add key %s (%s) to agent?", authfile, comment)) {
1535 debug3("user denied adding this key");
1536 return;
1537 }
1538
1539 if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
1540 (options.add_keys_to_agent == 3))) == 0)
1541 debug("identity added to agent: %s", authfile);
1542 else
1543 debug("could not add identity to agent: %s (%d)", authfile, r);
1544}
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 14:37:39 +0000