diff options
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sshconnect.c b/sshconnect.c index 9c1550a96..8c5f66dd5 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect.c,v 1.209 2008/06/26 11:46:31 grunk Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.210 2008/07/01 07:20:52 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -596,7 +596,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 596 | int salen; | 596 | int salen; |
| 597 | char ntop[NI_MAXHOST]; | 597 | char ntop[NI_MAXHOST]; |
| 598 | char msg[1024]; | 598 | char msg[1024]; |
| 599 | int len, host_line, ip_line; | 599 | int len, host_line, ip_line, cancelled_forwarding = 0; |
| 600 | const char *host_file = NULL, *ip_file = NULL; | 600 | const char *host_file = NULL, *ip_file = NULL; |
| 601 | 601 | ||
| 602 | /* | 602 | /* |
| @@ -878,27 +878,32 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 878 | error("Password authentication is disabled to avoid " | 878 | error("Password authentication is disabled to avoid " |
| 879 | "man-in-the-middle attacks."); | 879 | "man-in-the-middle attacks."); |
| 880 | options.password_authentication = 0; | 880 | options.password_authentication = 0; |
| 881 | cancelled_forwarding = 1; | ||
| 881 | } | 882 | } |
| 882 | if (options.kbd_interactive_authentication) { | 883 | if (options.kbd_interactive_authentication) { |
| 883 | error("Keyboard-interactive authentication is disabled" | 884 | error("Keyboard-interactive authentication is disabled" |
| 884 | " to avoid man-in-the-middle attacks."); | 885 | " to avoid man-in-the-middle attacks."); |
| 885 | options.kbd_interactive_authentication = 0; | 886 | options.kbd_interactive_authentication = 0; |
| 886 | options.challenge_response_authentication = 0; | 887 | options.challenge_response_authentication = 0; |
| 888 | cancelled_forwarding = 1; | ||
| 887 | } | 889 | } |
| 888 | if (options.challenge_response_authentication) { | 890 | if (options.challenge_response_authentication) { |
| 889 | error("Challenge/response authentication is disabled" | 891 | error("Challenge/response authentication is disabled" |
| 890 | " to avoid man-in-the-middle attacks."); | 892 | " to avoid man-in-the-middle attacks."); |
| 891 | options.challenge_response_authentication = 0; | 893 | options.challenge_response_authentication = 0; |
| 894 | cancelled_forwarding = 1; | ||
| 892 | } | 895 | } |
| 893 | if (options.forward_agent) { | 896 | if (options.forward_agent) { |
| 894 | error("Agent forwarding is disabled to avoid " | 897 | error("Agent forwarding is disabled to avoid " |
| 895 | "man-in-the-middle attacks."); | 898 | "man-in-the-middle attacks."); |
| 896 | options.forward_agent = 0; | 899 | options.forward_agent = 0; |
| 900 | cancelled_forwarding = 1; | ||
| 897 | } | 901 | } |
| 898 | if (options.forward_x11) { | 902 | if (options.forward_x11) { |
| 899 | error("X11 forwarding is disabled to avoid " | 903 | error("X11 forwarding is disabled to avoid " |
| 900 | "man-in-the-middle attacks."); | 904 | "man-in-the-middle attacks."); |
| 901 | options.forward_x11 = 0; | 905 | options.forward_x11 = 0; |
| 906 | cancelled_forwarding = 1; | ||
| 902 | } | 907 | } |
| 903 | if (options.num_local_forwards > 0 || | 908 | if (options.num_local_forwards > 0 || |
| 904 | options.num_remote_forwards > 0) { | 909 | options.num_remote_forwards > 0) { |
| @@ -906,12 +911,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | |||
| 906 | "man-in-the-middle attacks."); | 911 | "man-in-the-middle attacks."); |
| 907 | options.num_local_forwards = | 912 | options.num_local_forwards = |
| 908 | options.num_remote_forwards = 0; | 913 | options.num_remote_forwards = 0; |
| 914 | cancelled_forwarding = 1; | ||
| 909 | } | 915 | } |
| 910 | if (options.tun_open != SSH_TUNMODE_NO) { | 916 | if (options.tun_open != SSH_TUNMODE_NO) { |
| 911 | error("Tunnel forwarding is disabled to avoid " | 917 | error("Tunnel forwarding is disabled to avoid " |
| 912 | "man-in-the-middle attacks."); | 918 | "man-in-the-middle attacks."); |
| 913 | options.tun_open = SSH_TUNMODE_NO; | 919 | options.tun_open = SSH_TUNMODE_NO; |
| 920 | cancelled_forwarding = 1; | ||
| 914 | } | 921 | } |
| 922 | if (options.exit_on_forward_failure && cancelled_forwarding) | ||
| 923 | fatal("Error: forwarding disabled due to host key " | ||
| 924 | "check failure"); | ||
| 925 | |||
| 915 | /* | 926 | /* |
| 916 | * XXX Should permit the user to change to use the new id. | 927 | * XXX Should permit the user to change to use the new id. |
| 917 | * This could be done by converting the host key to an | 928 | * This could be done by converting the host key to an |