1 files changed, 96 insertions, 111 deletions
diff --git a/sshconnect.c b/sshconnect.c
index e19392acf..fb6af67df 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -8,7 +8,7 @@
 */
 #include "includes.h"
-RCSID("$Id: sshconnect.c,v 1.20 2000/01/03 12:41:05 damien Exp $");
+RCSID("$Id: sshconnect.c,v 1.21 2000/01/14 04:45:52 damien Exp $");
 #ifdef HAVE_OPENSSL
 #include <openssl/bn.h>
@@ -35,6 +35,7 @@ RCSID("$Id: sshconnect.c,v 1.20 2000/01/03 12:41:05 damien Exp $");
 unsigned char session_id[16];
 extern Options options;
+extern char *__progname;
 /*
 * Connect to the given ssh server using a proxy command.
@@ -48,10 +49,10 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
        char *command_string;
        int pin[2], pout[2];
        int pid;
-        char portstring[100];
+        char strport[NI_MAXSERV];
        /* Convert the port number into a string. */
-        snprintf(portstring, sizeof portstring, "%hu", port);
+        snprintf(strport, sizeof strport, "%hu", port);
        /* Build the final command string in the buffer by making the
           appropriate substitutions to the given proxy command. */
@@ -68,7 +69,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
                        continue;
                }
                if (cp[0] == '%' && cp[1] == 'p') {
-                        buffer_append(&command, portstring, strlen(portstring));
+                        buffer_append(&command, strport, strlen(strport));
                        cp++;
                        continue;
                }
@@ -140,7 +141,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
 * Creates a (possibly privileged) socket for use as the ssh connection.
 */
 int
-ssh_create_socket(uid_t original_real_uid, int privileged)
+ssh_create_socket(uid_t original_real_uid, int privileged, int family)
 {
        int sock;
@@ -150,10 +151,9 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
         */
        if (privileged) {
                int p = IPPORT_RESERVED - 1;
+                sock = rresvport_af(&p, family);
-                sock = rresvport(&p);
                if (sock < 0)
-                        fatal("rresvport: %.100s", strerror(errno));
+                        fatal("rresvport: af=%d %.100s", family, strerror(errno));
                debug("Allocated local port %d.", p);
        } else {
                /*
@@ -161,17 +161,18 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
                 * the user's uid to create the socket.
                 */
                temporarily_use_uid(original_real_uid);
-                sock = socket(AF_INET, SOCK_STREAM, 0);
+                sock = socket(family, SOCK_STREAM, 0);
                if (sock < 0)
-                        fatal("socket: %.100s", strerror(errno));
+                        error("socket: %.100s", strerror(errno));
                restore_uid();
        }
        return sock;
 }
 /*
- * Opens a TCP/IP connection to the remote server on the given host.  If
+ * Opens a TCP/IP connection to the remote server on the given host.
- * port is 0, the default port will be used.  If anonymous is zero,
+ * The address of the remote host will be returned in hostaddr.
+ * If port is 0, the default port will be used.  If anonymous is zero,
 * a privileged port will be allocated to make the connection.
 * This requires super-user privileges if anonymous is false.
 * Connection_attempts specifies the maximum number of tries (one per
@@ -180,15 +181,16 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
 * the daemon.
 */
 int
-ssh_connect(const char *host, struct sockaddr_in * hostaddr,
+ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
            u_short port, int connection_attempts,
            int anonymous, uid_t original_real_uid,
            const char *proxy_command)
 {
-        int sock = -1, attempt, i;
+        int sock = -1, attempt;
-        int on = 1;
        struct servent *sp;
-        struct hostent *hp;
+        struct addrinfo hints, *ai, *aitop;
+        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+        int gaierr;
        struct linger linger;
        debug("ssh_connect: getuid %d geteuid %d anon %d",
@@ -208,8 +210,13 @@ ssh_connect(const char *host, struct sockaddr_in * hostaddr,
        /* No proxy command. */
-        /* No host lookup made yet. */
+        memset(&hints, 0, sizeof(hints));
-        hp = NULL;
+        hints.ai_family = IPv4or6;
+        hints.ai_socktype = SOCK_STREAM;
+        snprintf(strport, sizeof strport, "%d", port);
+        if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+                fatal("%s: %.100s: %s", __progname, host,
+                    gai_strerror(gaierr));
        /*
         * Try to connect several times.  On some machines, the first time
@@ -220,82 +227,40 @@ ssh_connect(const char *host, struct sockaddr_in * hostaddr,
                if (attempt > 0)
                        debug("Trying again...");
-                /* Try to parse the host name as a numeric inet address. */
+                /* Loop through addresses for this host, and try each one in
-                memset(hostaddr, 0, sizeof(hostaddr));
+                   sequence until the connection succeeds. */
-                hostaddr->sin_family = AF_INET;
+                for (ai = aitop; ai; ai = ai->ai_next) {
-                hostaddr->sin_port = htons(port);
+                        if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-                hostaddr->sin_addr.s_addr = inet_addr(host);
+                                continue;
-                if ((hostaddr->sin_addr.s_addr & 0xffffffff) != 0xffffffff) {
+                        if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
-                        /* Valid numeric IP address */
+                            ntop, sizeof(ntop), strport, sizeof(strport),
-                        debug("Connecting to %.100s port %d.",
+                            NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-                              inet_ntoa(hostaddr->sin_addr), port);
+                                error("ssh_connect: getnameinfo failed");
+                                continue;
-                        /* Create a socket. */
+                        }
-                        sock = ssh_create_socket(original_real_uid,
+                        debug("Connecting to %.200s [%.100s] port %s.",
-                                          !anonymous && geteuid() == 0 &&
+                                host, ntop, strport);
-                                                 port < IPPORT_RESERVED);
+                        /* Create a socket for connecting. */
-                        /*
+                        sock = ssh_create_socket(original_real_uid, 
-                         * Connect to the host.  We use the user's uid in the
+                            !anonymous && geteuid() == 0 && port < IPPORT_RESERVED,
-                         * hope that it will help with the problems of
+                            ai->ai_family);
-                         * tcp_wrappers showing the remote uid as root.
+                        if (sock < 0)
+                                continue;
+                        /* Connect to the host.  We use the user's uid in the
+                         * hope that it will help with tcp_wrappers showing
+                         * the remote uid as root.
                         */
                        temporarily_use_uid(original_real_uid);
-                        if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+                        if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
-                            >= 0) {
+                                /* Successful connection. */
-                                /* Successful connect. */
+                                memcpy(hostaddr, ai->ai_addr, sizeof(*(ai->ai_addr)));
                                restore_uid();
                                break;
-                        }
+                        } else {
-                        debug("connect: %.100s", strerror(errno));
-                        restore_uid();
-                        /* Destroy the failed socket. */
-                        shutdown(sock, SHUT_RDWR);
-                        close(sock);
-                } else {
-                        /* Not a valid numeric inet address. */
-                        /* Map host name to an address. */
-                        if (!hp)
-                                hp = gethostbyname(host);
-                        if (!hp)
-                                fatal("Bad host name: %.100s", host);
-                        if (!hp->h_addr_list[0])
-                                fatal("Host does not have an IP address: %.100s", host);
-                        /* Loop through addresses for this host, and try
-                           each one in sequence until the connection
-                           succeeds. */
-                        for (i = 0; hp->h_addr_list[i]; i++) {
-                                /* Set the address to connect to. */
-                                hostaddr->sin_family = hp->h_addrtype;
-                                memcpy(&hostaddr->sin_addr, hp->h_addr_list[i],
-                                       sizeof(hostaddr->sin_addr));
-                                debug("Connecting to %.200s [%.100s] port %d.",
-                                      host, inet_ntoa(hostaddr->sin_addr), port);
-                                /* Create a socket for connecting. */
-                                sock = ssh_create_socket(original_real_uid,
-                                          !anonymous && geteuid() == 0 &&
-                                                 port < IPPORT_RESERVED);
-                                /*
-                                 * Connect to the host.  We use the user's
-                                 * uid in the hope that it will help with
-                                 * tcp_wrappers showing the remote uid as
-                                 * root.
-                                 */
-                                temporarily_use_uid(original_real_uid);
-                                if (connect(sock, (struct sockaddr *) hostaddr,
-                                            sizeof(*hostaddr)) >= 0) {
-                                        /* Successful connection. */
-                                        restore_uid();
-                                        break;
-                                }
                                debug("connect: %.100s", strerror(errno));
                                restore_uid();
                                /*
                                 * Close the failed socket; there appear to
                                 * be some problems when reusing a socket for
@@ -305,13 +270,16 @@ ssh_connect(const char *host, struct sockaddr_in * hostaddr,
                                shutdown(sock, SHUT_RDWR);
                                close(sock);
                        }
-                        if (hp->h_addr_list[i])
-                                break;  /* Successful connection. */
                }
+                if (ai)
+                        break;  /* Successful connection. */
                /* Sleep a moment before retrying. */
                sleep(1);
        }
+        freeaddrinfo(aitop);
        /* Return failure if we didn't get a successful connection. */
        if (attempt >= connection_attempts)
                return 0;
@@ -323,7 +291,6 @@ ssh_connect(const char *host, struct sockaddr_in * hostaddr,
         * as it has been closed for whatever reason.
         */
        /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
-        setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *) &on, sizeof(on));
        linger.l_onoff = 1;
        linger.l_linger = 5;
        setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
@@ -1095,17 +1062,43 @@ read_yes_or_no(const char *prompt, int defval)
 */
 void
-check_host_key(char *host,
+check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key)
-    struct sockaddr_in *hostaddr,
-    RSA *host_key)
 {
        RSA *file_key;
        char *ip = NULL;
        char hostline[1000], *hostp;
        HostStatus host_status;
        HostStatus ip_status;
-        int host_ip_differ = 0;
+        int local = 0, host_ip_differ = 0;
-        int local = (ntohl(hostaddr->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+        int sa_len;
+        char ntop[NI_MAXHOST];
+        /*
+         * Force accepting of the host key for loopback/localhost. The
+         * problem is that if the home directory is NFS-mounted to multiple
+         * machines, localhost will refer to a different machine in each of
+         * them, and the user will get bogus HOST_CHANGED warnings.  This
+         * essentially disables host authentication for localhost; however,
+         * this is probably not a real problem.
+         */
+        switch (hostaddr->sa_family) {
+        case AF_INET:
+                local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+                sa_len = sizeof(struct sockaddr_in);
+                break;
+        case AF_INET6:
+                local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
+                sa_len = sizeof(struct sockaddr_in6);
+                break;
+        default:
+                local = 0;
+                sa_len = sizeof(struct sockaddr_storage);
+                break;
+        }
+        if (local) {
+                debug("Forcing accepting of host key for loopback/localhost.");
+                return;
+        }
        /*
         * Turn off check_host_ip for proxy connects, since
@@ -1114,8 +1107,12 @@ check_host_key(char *host,
        if (options.proxy_command != NULL && options.check_host_ip)
                options.check_host_ip = 0;
-        if (options.check_host_ip)
+        if (options.check_host_ip) {
-                ip = xstrdup(inet_ntoa(hostaddr->sin_addr));
+                if (getnameinfo(hostaddr, sa_len, ntop, sizeof(ntop),
+                    NULL, 0, NI_NUMERICHOST) != 0)
+                        fatal("check_host_key: getnameinfo failed");
+                ip = xstrdup(ntop);
+        }
        /*
         * Store the host key from the known host file in here so that we can
@@ -1137,18 +1134,6 @@ check_host_key(char *host,
                                                host_key->e, host_key->n,
                                               file_key->e, file_key->n);
        /*
-         * Force accepting of the host key for localhost and 127.0.0.1. The
-         * problem is that if the home directory is NFS-mounted to multiple
-         * machines, localhost will refer to a different machine in each of
-         * them, and the user will get bogus HOST_CHANGED warnings.  This
-         * essentially disables host authentication for localhost; however,
-         * this is probably not a real problem.
-         */
-        if (local) {
-                debug("Forcing accepting of host key for localhost.");
-                host_status = HOST_OK;
-        }
-        /*
         * Also perform check for the ip address, skip the check if we are
         * localhost or the hostname was an ip address to begin with
         */
@@ -1301,7 +1286,7 @@ void
 ssh_login(int host_key_valid,
          RSA *own_host_key,
          const char *orighost,
-          struct sockaddr_in *hostaddr,
+          struct sockaddr *hostaddr,
          uid_t original_real_uid)
 {
        int i, type;

diff --git a/sshconnect.c b/sshconnect.c index e19392acf..fb6af67df 100644 --- a/sshconnect.c +++ b/sshconnect.c
@@ -8,7 +8,7 @@
8	*/	8	*/
9		9
10	#include "includes.h"	10	#include "includes.h"
11	RCSID("$Id: sshconnect.c,v 1.20 2000/01/03 12:41:05 damien Exp $");	11	RCSID("$Id: sshconnect.c,v 1.21 2000/01/14 04:45:52 damien Exp $");
12		12
13	#ifdef HAVE_OPENSSL	13	#ifdef HAVE_OPENSSL
14	#include <openssl/bn.h>	14	#include <openssl/bn.h>
@@ -35,6 +35,7 @@ RCSID("$Id: sshconnect.c,v 1.20 2000/01/03 12:41:05 damien Exp $");
35	unsigned char session_id[16];	35	unsigned char session_id[16];
36		36
37	extern Options options;	37	extern Options options;
		38	extern char *__progname;
38		39
39	/*	40	/*
40	* Connect to the given ssh server using a proxy command.	41	* Connect to the given ssh server using a proxy command.
@@ -48,10 +49,10 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
48	char *command_string;	49	char *command_string;
49	int pin[2], pout[2];	50	int pin[2], pout[2];
50	int pid;	51	int pid;
51	char portstring[100];	52	char strport[NI_MAXSERV];
52		53
53	/* Convert the port number into a string. */	54	/* Convert the port number into a string. */
54	snprintf(portstring, sizeof portstring, "%hu", port);	55	snprintf(strport, sizeof strport, "%hu", port);
55		56
56	/* Build the final command string in the buffer by making the	57	/* Build the final command string in the buffer by making the
57	appropriate substitutions to the given proxy command. */	58	appropriate substitutions to the given proxy command. */
@@ -68,7 +69,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
68	continue;	69	continue;
69	}	70	}
70	if (cp[0] == '%' && cp[1] == 'p') {	71	if (cp[0] == '%' && cp[1] == 'p') {
71	buffer_append(&command, portstring, strlen(portstring));	72	buffer_append(&command, strport, strlen(strport));
72	cp++;	73	cp++;
73	continue;	74	continue;
74	}	75	}
@@ -140,7 +141,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid,
140	* Creates a (possibly privileged) socket for use as the ssh connection.	141	* Creates a (possibly privileged) socket for use as the ssh connection.
141	*/	142	*/
142	int	143	int
143	ssh_create_socket(uid_t original_real_uid, int privileged)	144	ssh_create_socket(uid_t original_real_uid, int privileged, int family)
144	{	145	{
145	int sock;	146	int sock;
146		147
@@ -150,10 +151,9 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
150	*/	151	*/
151	if (privileged) {	152	if (privileged) {
152	int p = IPPORT_RESERVED - 1;	153	int p = IPPORT_RESERVED - 1;
153		154	sock = rresvport_af(&p, family);
154	sock = rresvport(&p);
155	if (sock < 0)	155	if (sock < 0)
156	fatal("rresvport: %.100s", strerror(errno));	156	fatal("rresvport: af=%d %.100s", family, strerror(errno));
157	debug("Allocated local port %d.", p);	157	debug("Allocated local port %d.", p);
158	} else {	158	} else {
159	/*	159	/*
@@ -161,17 +161,18 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
161	* the user's uid to create the socket.	161	* the user's uid to create the socket.
162	*/	162	*/
163	temporarily_use_uid(original_real_uid);	163	temporarily_use_uid(original_real_uid);
164	sock = socket(AF_INET, SOCK_STREAM, 0);	164	sock = socket(family, SOCK_STREAM, 0);
165	if (sock < 0)	165	if (sock < 0)
166	fatal("socket: %.100s", strerror(errno));	166	error("socket: %.100s", strerror(errno));
167	restore_uid();	167	restore_uid();
168	}	168	}
169	return sock;	169	return sock;
170	}	170	}
171		171
172	/*	172	/*
173	* Opens a TCP/IP connection to the remote server on the given host. If	173	* Opens a TCP/IP connection to the remote server on the given host.
174	* port is 0, the default port will be used. If anonymous is zero,	174	* The address of the remote host will be returned in hostaddr.
		175	* If port is 0, the default port will be used. If anonymous is zero,
175	* a privileged port will be allocated to make the connection.	176	* a privileged port will be allocated to make the connection.
176	* This requires super-user privileges if anonymous is false.	177	* This requires super-user privileges if anonymous is false.
177	* Connection_attempts specifies the maximum number of tries (one per	178	* Connection_attempts specifies the maximum number of tries (one per
@@ -180,15 +181,16 @@ ssh_create_socket(uid_t original_real_uid, int privileged)
180	* the daemon.	181	* the daemon.
181	*/	182	*/
182	int	183	int
183	ssh_connect(const char host, struct sockaddr_in hostaddr,	184	ssh_connect(const char host, struct sockaddr_storage hostaddr,
184	u_short port, int connection_attempts,	185	u_short port, int connection_attempts,
185	int anonymous, uid_t original_real_uid,	186	int anonymous, uid_t original_real_uid,
186	const char *proxy_command)	187	const char *proxy_command)
187	{	188	{
188	int sock = -1, attempt, i;	189	int sock = -1, attempt;
189	int on = 1;
190	struct servent *sp;	190	struct servent *sp;
191	struct hostent *hp;	191	struct addrinfo hints, ai, aitop;
		192	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
		193	int gaierr;
192	struct linger linger;	194	struct linger linger;
193		195
194	debug("ssh_connect: getuid %d geteuid %d anon %d",	196	debug("ssh_connect: getuid %d geteuid %d anon %d",
@@ -208,8 +210,13 @@ ssh_connect(const char host, struct sockaddr_in hostaddr,
208		210
209	/* No proxy command. */	211	/* No proxy command. */
210		212
211	/* No host lookup made yet. */	213	memset(&hints, 0, sizeof(hints));
212	hp = NULL;	214	hints.ai_family = IPv4or6;
		215	hints.ai_socktype = SOCK_STREAM;
		216	snprintf(strport, sizeof strport, "%d", port);
		217	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
		218	fatal("%s: %.100s: %s", __progname, host,
		219	gai_strerror(gaierr));
213		220
214	/*	221	/*
215	* Try to connect several times. On some machines, the first time	222	* Try to connect several times. On some machines, the first time
@@ -220,82 +227,40 @@ ssh_connect(const char host, struct sockaddr_in hostaddr,
220	if (attempt > 0)	227	if (attempt > 0)
221	debug("Trying again...");	228	debug("Trying again...");
222		229
223	/* Try to parse the host name as a numeric inet address. */	230	/* Loop through addresses for this host, and try each one in
224	memset(hostaddr, 0, sizeof(hostaddr));	231	sequence until the connection succeeds. */
225	hostaddr->sin_family = AF_INET;	232	for (ai = aitop; ai; ai = ai->ai_next) {
226	hostaddr->sin_port = htons(port);	233	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
227	hostaddr->sin_addr.s_addr = inet_addr(host);	234	continue;
228	if ((hostaddr->sin_addr.s_addr & 0xffffffff) != 0xffffffff) {	235	if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
229	/* Valid numeric IP address */	236	ntop, sizeof(ntop), strport, sizeof(strport),
230	debug("Connecting to %.100s port %d.",	237	NI_NUMERICHOST\|NI_NUMERICSERV) != 0) {
231	inet_ntoa(hostaddr->sin_addr), port);	238	error("ssh_connect: getnameinfo failed");
232		239	continue;
233	/* Create a socket. */	240	}
234	sock = ssh_create_socket(original_real_uid,	241	debug("Connecting to %.200s [%.100s] port %s.",
235	!anonymous && geteuid() == 0 &&	242	host, ntop, strport);
236	port < IPPORT_RESERVED);	243
237		244	/* Create a socket for connecting. */
238	/*	245	sock = ssh_create_socket(original_real_uid,
239	* Connect to the host. We use the user's uid in the	246	!anonymous && geteuid() == 0 && port < IPPORT_RESERVED,
240	* hope that it will help with the problems of	247	ai->ai_family);
241	* tcp_wrappers showing the remote uid as root.	248	if (sock < 0)
		249	continue;
		250
		251	/* Connect to the host. We use the user's uid in the
		252	* hope that it will help with tcp_wrappers showing
		253	* the remote uid as root.
242	*/	254	*/
243	temporarily_use_uid(original_real_uid);	255	temporarily_use_uid(original_real_uid);
244	if (connect(sock, (struct sockaddr ) hostaddr, sizeof(hostaddr))	256	if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
245	>= 0) {	257	/* Successful connection. */
246	/* Successful connect. */	258	memcpy(hostaddr, ai->ai_addr, sizeof(*(ai->ai_addr)));
247	restore_uid();	259	restore_uid();
248	break;	260	break;
249	}	261	} else {
250	debug("connect: %.100s", strerror(errno));
251	restore_uid();
252
253	/* Destroy the failed socket. */
254	shutdown(sock, SHUT_RDWR);
255	close(sock);
256	} else {
257	/* Not a valid numeric inet address. */
258	/* Map host name to an address. */
259	if (!hp)
260	hp = gethostbyname(host);
261	if (!hp)
262	fatal("Bad host name: %.100s", host);
263	if (!hp->h_addr_list[0])
264	fatal("Host does not have an IP address: %.100s", host);
265
266	/* Loop through addresses for this host, and try
267	each one in sequence until the connection
268	succeeds. */
269	for (i = 0; hp->h_addr_list[i]; i++) {
270	/* Set the address to connect to. */
271	hostaddr->sin_family = hp->h_addrtype;
272	memcpy(&hostaddr->sin_addr, hp->h_addr_list[i],
273	sizeof(hostaddr->sin_addr));
274
275	debug("Connecting to %.200s [%.100s] port %d.",
276	host, inet_ntoa(hostaddr->sin_addr), port);
277
278	/* Create a socket for connecting. */
279	sock = ssh_create_socket(original_real_uid,
280	!anonymous && geteuid() == 0 &&
281	port < IPPORT_RESERVED);
282
283	/*
284	* Connect to the host. We use the user's
285	* uid in the hope that it will help with
286	* tcp_wrappers showing the remote uid as
287	* root.
288	*/
289	temporarily_use_uid(original_real_uid);
290	if (connect(sock, (struct sockaddr *) hostaddr,
291	sizeof(*hostaddr)) >= 0) {
292	/* Successful connection. */
293	restore_uid();
294	break;
295	}
296	debug("connect: %.100s", strerror(errno));	262	debug("connect: %.100s", strerror(errno));
297	restore_uid();	263	restore_uid();
298
299	/*	264	/*
300	* Close the failed socket; there appear to	265	* Close the failed socket; there appear to
301	* be some problems when reusing a socket for	266	* be some problems when reusing a socket for
@@ -305,13 +270,16 @@ ssh_connect(const char host, struct sockaddr_in hostaddr,
305	shutdown(sock, SHUT_RDWR);	270	shutdown(sock, SHUT_RDWR);
306	close(sock);	271	close(sock);
307	}	272	}
308	if (hp->h_addr_list[i])
309	break; /* Successful connection. */
310	}	273	}
		274	if (ai)
		275	break; /* Successful connection. */
311		276
312	/* Sleep a moment before retrying. */	277	/* Sleep a moment before retrying. */
313	sleep(1);	278	sleep(1);
314	}	279	}
		280
		281	freeaddrinfo(aitop);
		282
315	/* Return failure if we didn't get a successful connection. */	283	/* Return failure if we didn't get a successful connection. */
316	if (attempt >= connection_attempts)	284	if (attempt >= connection_attempts)
317	return 0;	285	return 0;
@@ -323,7 +291,6 @@ ssh_connect(const char host, struct sockaddr_in hostaddr,
323	* as it has been closed for whatever reason.	291	* as it has been closed for whatever reason.
324	*/	292	*/
325	/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void )&on, sizeof(on)); /	293	/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void )&on, sizeof(on)); /
326	setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *) &on, sizeof(on));
327	linger.l_onoff = 1;	294	linger.l_onoff = 1;
328	linger.l_linger = 5;	295	linger.l_linger = 5;
329	setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));	296	setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
@@ -1095,17 +1062,43 @@ read_yes_or_no(const char *prompt, int defval)
1095	*/	1062	*/
1096		1063
1097	void	1064	void
1098	check_host_key(char *host,	1065	check_host_key(char host, struct sockaddr hostaddr, RSA *host_key)
1099	struct sockaddr_in *hostaddr,
1100	RSA *host_key)
1101	{	1066	{
1102	RSA *file_key;	1067	RSA *file_key;
1103	char *ip = NULL;	1068	char *ip = NULL;
1104	char hostline[1000], *hostp;	1069	char hostline[1000], *hostp;
1105	HostStatus host_status;	1070	HostStatus host_status;
1106	HostStatus ip_status;	1071	HostStatus ip_status;
1107	int host_ip_differ = 0;	1072	int local = 0, host_ip_differ = 0;
1108	int local = (ntohl(hostaddr->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;	1073	int sa_len;
		1074	char ntop[NI_MAXHOST];
		1075
		1076	/*
		1077	* Force accepting of the host key for loopback/localhost. The
		1078	* problem is that if the home directory is NFS-mounted to multiple
		1079	* machines, localhost will refer to a different machine in each of
		1080	* them, and the user will get bogus HOST_CHANGED warnings. This
		1081	* essentially disables host authentication for localhost; however,
		1082	* this is probably not a real problem.
		1083	*/
		1084	switch (hostaddr->sa_family) {
		1085	case AF_INET:
		1086	local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
		1087	sa_len = sizeof(struct sockaddr_in);
		1088	break;
		1089	case AF_INET6:
		1090	local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
		1091	sa_len = sizeof(struct sockaddr_in6);
		1092	break;
		1093	default:
		1094	local = 0;
		1095	sa_len = sizeof(struct sockaddr_storage);
		1096	break;
		1097	}
		1098	if (local) {
		1099	debug("Forcing accepting of host key for loopback/localhost.");
		1100	return;
		1101	}
1109		1102
1110	/*	1103	/*
1111	* Turn off check_host_ip for proxy connects, since	1104	* Turn off check_host_ip for proxy connects, since
@@ -1114,8 +1107,12 @@ check_host_key(char *host,
1114	if (options.proxy_command != NULL && options.check_host_ip)	1107	if (options.proxy_command != NULL && options.check_host_ip)
1115	options.check_host_ip = 0;	1108	options.check_host_ip = 0;
1116		1109
1117	if (options.check_host_ip)	1110	if (options.check_host_ip) {
1118	ip = xstrdup(inet_ntoa(hostaddr->sin_addr));	1111	if (getnameinfo(hostaddr, sa_len, ntop, sizeof(ntop),
		1112	NULL, 0, NI_NUMERICHOST) != 0)
		1113	fatal("check_host_key: getnameinfo failed");
		1114	ip = xstrdup(ntop);
		1115	}
1119		1116
1120	/*	1117	/*
1121	* Store the host key from the known host file in here so that we can	1118	* Store the host key from the known host file in here so that we can
@@ -1137,18 +1134,6 @@ check_host_key(char *host,
1137	host_key->e, host_key->n,	1134	host_key->e, host_key->n,
1138	file_key->e, file_key->n);	1135	file_key->e, file_key->n);
1139	/*	1136	/*
1140	* Force accepting of the host key for localhost and 127.0.0.1. The
1141	* problem is that if the home directory is NFS-mounted to multiple
1142	* machines, localhost will refer to a different machine in each of
1143	* them, and the user will get bogus HOST_CHANGED warnings. This
1144	* essentially disables host authentication for localhost; however,
1145	* this is probably not a real problem.
1146	*/
1147	if (local) {
1148	debug("Forcing accepting of host key for localhost.");
1149	host_status = HOST_OK;
1150	}
1151	/*
1152	* Also perform check for the ip address, skip the check if we are	1137	* Also perform check for the ip address, skip the check if we are
1153	* localhost or the hostname was an ip address to begin with	1138	* localhost or the hostname was an ip address to begin with
1154	*/	1139	*/
@@ -1301,7 +1286,7 @@ void
1301	ssh_login(int host_key_valid,	1286	ssh_login(int host_key_valid,
1302	RSA *own_host_key,	1287	RSA *own_host_key,
1303	const char *orighost,	1288	const char *orighost,
1304	struct sockaddr_in *hostaddr,	1289	struct sockaddr *hostaddr,
1305	uid_t original_real_uid)	1290	uid_t original_real_uid)
1306	{	1291	{
1307	int i, type;	1292	int i, type;